preetkaran20
commented
1 year ago Issue : #329
We (@AlexisOsmont and I) are applying a few changes to the unmerged_csrf branch :
- Using httpOnly and Secure cookies on level 3 and higher
- Using SecureRandom instead of random
Is there anything else needed ?
Yes, there are multiple changes required in this. In level 1 and level 2, we are not using any cookie for session management. Also, the thought is to store the password in database and also show that on screen. Once the user login using username and password from UI, create a cookie with session Id. Now, ask user to fill new password and change the password for the user and this functionality of change password will have CSRF vulnerability. Watch https://www.youtube.com/watch?v=hW2ONyxAySY&ab_channel=TroyHunt and https://www.youtube.com/watch?v=ULa4yLI36PE&ab_channel=admiralgaust for more information about it.
Issue : https://github.com/SasanLabs/VulnerableApp/issues/329
We (@AlexisOsmont and I) are applying a few changes to the unmerged_csrf branch :
Is there anything else needed ?