ASL-19 / civicdr-backend

GNU General Public License v3.0
0 stars 1 forks source link

CDR-01-005 Web: Login & Logout CSRF due to lack of state parameter #10

Closed seamustuohy closed 5 years ago

seamustuohy commented 7 years ago

No CSRF protection was found on the authentication page. As a result, an attacker can supply his access token to a user and force the user to be logged in as the attacker, or, alternatively, supply an invalid access token to log the user out.

As suggested in the Auth0 documentation, an unguessable value should be applied to the state parameter to prevent CSRF attacks. However, no such mitigation was found in the source code 4 . While a logout CSRF can only cause annoyance, a login CSRF can aid the attacker to observe the performed actions if the victim believes they are using their own account. Furthermore, it can aid the exploitation of a self-XSS issue.

It is recommended to add the state parameter to prevent CSRF in the authentication process.

seamustuohy commented 7 years ago

Mitigation Plan:

seamustuohy commented 7 years ago

Will be addressed by https://github.com/ASL-19/civicdr/pull/41

seamustuohy commented 7 years ago

Partially fixed. The login CSRF issue has been fixed as the state parameter is now implemented. The logout CSRF issue remains.