GitLab

SUMMARY:

Post requests can be submitted automatically in javascript for some forms from any site and are automatically authenticated if the user was logged in at any point in the browser session and has not logged out (or been timed out).

Banana awards allow arbitrary html (including script tags onto the page).

PROOF OF WORK:

Tests were done on https://sucs.org/~elbows/sucssite/ . Users with banana privileges who had previously logged on to elbows sucs site (or had it open in another tab), who visited the url http://ninekaku.com/test [update: now offline, see comments] found a nearly empty page. In the background they had automatically awarded a user called "test" -3 bananas and given as the reason javascript url redirection back to the page http://ninekaku.com/test

SUGGESTED FIX:

Randomly generate a token when the page is loaded and make that part of the post request. If the wrong random string is submitted validation fails.

More details on prevention measures for this type of attack. https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet