Open skattar1406 opened 6 years ago
➤ Justin Barnowski commented:
Here's an example: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)#Prevention_measures_that_do_NOT_work
➤ Justin Barnowski commented:
@philloooo
Since @jesuspguofc were asking about it. Read the link from March
➤ Justin Barnowski commented:
https://github.com/uc-cdis/fence/pull/209/files#diff-feb6ac6f84a84b339e1cd1e1fc97e3daR193 ^ All I need to do to get around CSRF currently is have a header named Authorization, doesn't even have to be valid.... Trivially bypassed.
Just read through this post The end of that post has a good run through in java.
We are missing step 1, verifying the origin url. And should be able to gleam the information from one/multiple of these