seamustuohy
commented
7 years ago Mitigation Plan:
- 005: implement the Auth0 state parameter in redirects
Closed seamustuohy closed 5 years ago
seamustuohy
commented
7 years ago Mitigation Plan:
seamustuohy
commented
7 years ago Will be addressed by https://github.com/ASL-19/civicdr/pull/41
seamustuohy
commented
7 years ago Partially fixed. The login CSRF issue has been fixed as the state parameter is now implemented. The logout CSRF issue remains.
No CSRF protection was found on the authentication page. As a result, an attacker can supply his access token to a user and force the user to be logged in as the attacker, or, alternatively, supply an invalid access token to log the user out.
As suggested in the Auth0 documentation, an unguessable value should be applied to the state parameter to prevent CSRF attacks. However, no such mitigation was found in the source code 4 . While a logout CSRF can only cause annoyance, a login CSRF can aid the attacker to observe the performed actions if the victim believes they are using their own account. Furthermore, it can aid the exploitation of a self-XSS issue.
It is recommended to add the state parameter to prevent CSRF in the authentication process.