CSRF protection can be bypassed with empty header and empty cookie

softwaremill / akka-http-session

Web & mobile client-side akka-http sessions, with optional JWT support

https://softwaremill.com/open-source/

Apache License 2.0

440 stars 58 forks source link

CSRF protection can be bypassed with empty header and empty cookie #74

Closed willemvermeer closed 4 years ago

willemvermeer commented 4 years ago

Hi, When you send a POST to an endpoint protected by randomTokenCsrfProtection and pass in an empty X-XSRF-TOKEN header and a XSRF-TOKEN cookie with empty value, the filter will let you pass.

I think is due to the check in randomTokenCsrfProtection on line 26: if (submitted == cookie) { pass } but the value itself is not inspected and could possibly be empty.

Hope this can be fixed, thanks, Willem

adamw commented 4 years ago

Fixed in 0.5.11. Thanks for the report!