No CSRF protection was found on the authentication page. As a result, an attacker can supply his access token to a user and force the user to be logged in as the attacker, or, alternatively, supply an invalid access token to log the user out.
As suggested in the Auth0 documentation, an unguessable value should be applied to the state parameter to prevent CSRF attacks. However, no such mitigation was found in the source code 4 . While a logout CSRF can only cause annoyance, a login CSRF can aid the attacker to observe the performed actions if the victim believes they are using their own account. Furthermore, it can aid the exploitation of a self-XSS issue.
It is recommended to add the state parameter to prevent CSRF in the authentication process.
No CSRF protection was found on the authentication page. As a result, an attacker can supply his access token to a user and force the user to be logged in as the attacker, or, alternatively, supply an invalid access token to log the user out.
As suggested in the Auth0 documentation, an unguessable value should be applied to the state parameter to prevent CSRF attacks. However, no such mitigation was found in the source code 4 . While a logout CSRF can only cause annoyance, a login CSRF can aid the attacker to observe the performed actions if the victim believes they are using their own account. Furthermore, it can aid the exploitation of a self-XSS issue.
It is recommended to add the state parameter to prevent CSRF in the authentication process.