Never Underestimate CSRF: Why Origin Reflection is a Bad Idea

Whistle, a popular HTTP debugging proxy with over 14k stars on GitHub, has a reported security vulnerability due to a CORS misconfiguration issue that can lead to a full system compromise. The vulnerability was discovered through SonarQube Cloud's code analysis and was reported to the Whistle maintainer in June 2024. Despite an initial fix, the issue remains unpatched as of the latest version of Whistle (2.9.90). The bug allows attackers to exploit a Cross-Site Request Forgery (CSRF) vulnerability by tricking a victim into visiting a malicious webpage, which can then execute arbitrary system commands on the victim's machine. The maintainer stopped communicating with the developers after initial patches were suggested, leaving users vulnerable. A detailed analysis of the vulnerability and its impact is presented in this blog post, highlighting the importance of investigating security hotspots raised by code analysis tools like SonarQube Cloud.