search

digininja / DVWA

Damn Vulnerable Web Application (DVWA)
GNU General Public License v3.0
10.34k stars 3.63k forks source link

CSRF doesn't really make sense #622

Closed duraki closed 7 months ago

duraki commented 7 months ago

Having separate CSRF vulnerability implemented makes no sense in DVWA. Why is the whole DVWA vulnerable to CSRF anyhow? Shouldn't there be some kind of XSRF token applied in non-CSRF vulnerabilities and forms?

digininja commented 7 months ago

It is so that you can practice CSRF on its own as a standalone vulnerability. It is like asking why have standalone XSS, why not put it in the login form. I could, but then it would be harder to focus on the single lesson.

The rest of the app isn't protected because as well as having specific vulnerabilities in each section, the app as a whole is full of other "hidden" issues for you to find.

On Mon, 8 Apr 2024 at 04:52, ❂ @.***> wrote:

Having separate CSRF vulnerability implemented makes no sense in DVWA. Why is the whole DVWA vulnerable to CSRF anyhow? Shouldn't there be some kind of XSRF token applied in non-CSRF vulnerabilities and forms?

— Reply to this email directly, view it on GitHub https://github.com/digininja/DVWA/issues/622, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAA4SWKA6Z3KPVIYY7WPPBTY4IIAHAVCNFSM6AAAAABF35PNPOVHI2DSMVQWIX3LMV43ASLTON2WKOZSGIZTAMJZGY3DQMA . You are receiving this because you are subscribed to this thread.Message ID: @.***>

duraki commented 7 months ago

I agree, it makes sense in this particular case. I just think that DVWA is used quite a lot "as a standard" during DAST/SAST benchmarking (and development of the similar offsec tools), therefore these produce false positives and are reported during the analysis. Nevertheless, I understand your point, just wanted to share my personal view of it. Appreciated the response, and thanks for years of development @digininja.

digininja commented 7 months ago

Trying to have humans trying to contend with csrf protections while also learning about SQLi would be a bit much.

On Mon, 8 Apr 2024, 20:22 ❂, @.***> wrote:

I agree, it makes sense in this particular case. I just think that DVWA is used quite a lot "as a standard" during DAST/SAST benchmarking (and development of the similar offsec tools), therefore these produce false positives and are reported during the analysis. Nevertheless, I understand your point, just wanted to share my personal view of it. Appreciated the response, and thanks for years of development @digininja https://github.com/digininja.

— Reply to this email directly, view it on GitHub https://github.com/digininja/DVWA/issues/622#issuecomment-2043493747, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAA4SWL5XCC6W7ETQIBXAJ3Y4LU7NAVCNFSM6AAAAABF35PNPOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDANBTGQ4TGNZUG4 . You are receiving this because you were mentioned.Message ID: @.***>

duraki commented 7 months ago

Haha, absolutely. Lets deffo keep it this way.