Closed Saeven closed 6 years ago
Test case still required
Marco Pivetta
On Tue, Jan 23, 2018 at 5:44 PM, Alexandre Lemaire <notifications@github.com
wrote:
The CSRF is a bit naive, assuming that it is receiving a string, and not an array. Most penetration tests start with malformed input, and arrays cause this validator to throw an Array to string conversion error.
Reproducing the problem is simple. Craft a form that includes a CSRF Filter, and modify your post to send CSRF as an array. e.g.,
POST /login HTTP/1.1 Content-Length: 142 Content-Type: application/x-www-form-urlencoded Referer: http://foo.com Cookie: PHPSESSID=s3r0icn96iqstvsrpkae3n2sta; lastRoute=register; locale=en_US; lastPageVisited=http://foo.com/login; __cfduid=d815a2363ab50c616e80627e0ca5834a81516720789 Host: foo.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Accept: / axis=1&csrf[]=576ae4642376a2904866a504f395c75ab04205df5b1df8e0bbd999f6e6746c73&email=sample%40email.tst&password=g00dPa%24%24w0rD&remember=on
The CSRF filter should report a validation failure when an array is pushed in, and not crap out.
You can view, comment on, or merge this pull request online at:
https://github.com/zendframework/zend-validator/pull/212 Commit Summary
- Update Csrf.php
File Changes
- M src/Csrf.php https://github.com/zendframework/zend-validator/pull/212/files#diff-0 (6)
Patch Links:
- https://github.com/zendframework/zend-validator/pull/212.patch
- https://github.com/zendframework/zend-validator/pull/212.diff
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/zendframework/zend-validator/pull/212, or mute the thread https://github.com/notifications/unsubscribe-auth/AAJakKhcwPObFm1cITQK_2emchmpFaaxks5tNgyDgaJpZM4Rp9HR .
Yep sorry, forgot to check it in. Done.
Hm, some tests in this branch (untouched) were failing already. Need fixing? Timezone tests.
Thanks, @Saeven!
The CSRF is a bit naive, assuming that it is receiving a string, and not an array. Most penetration tests start with malformed input, and arrays cause this validator to throw an Array to string conversion error.
Reproducing the problem is simple. Craft a form that includes a CSRF Filter, and modify your post to send CSRF as an array. e.g.,
The CSRF filter should report a validation failure when an array is pushed in, and not crap out.