REST API IS CSRF-VULNERABLE

albrechtjan / workload

Survey web application for TU Dresden

survey.zqa.tu-dresden.de

GNU Affero General Public License v3.0

0 stars 0 forks source link

REST API IS CSRF-VULNERABLE #57

Closed KonstantinSchubert closed 8 years ago

KonstantinSchubert commented 9 years ago

Because the CSRF token is not passed with the REST API's POST/GET/UPDATE/.. request in the request url, all these urls are vulnarable from CSRF attacks.

KonstantinSchubert commented 8 years ago

I will fix this simply by requring the "User-Agent" to be set to "Workload_App_Android_CSRF_EXCEMPT"

KonstantinSchubert commented 8 years ago

Fixed in commit https://github.com/KonstantinSchubert/workload/commit/932689ae545f1115555f10d859e7d07b34780ca1