New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CSRF vulnerability almost all forms #68
Comments
|
User Edit Form has CSRF Expoit Request: POST /users/25/edit/ HTTP/1.1 first_name=Adam&last_name=Chan&username=adamchan&email=test%40test.com&role=ADMIN |
|
CSRF while delete account Exploit link https://django-crm.micropyramid.com/accounts/123/delete/ |
|
there is no use if csrf token present in cookie |
|
csrf token should be present in form or custom header as well as validate that csrf token on server side before save the forms or delete something. |
|
@abuvanth thanks for your observation and there is no chance of CSRF for auth protected applications. CSRF is for something like contact forms which doesn't not need to get authenticated to access. Read "Am I Vulnerable To 'Cross-Site Request Forgery (CSRF)'?" section in the OWASP link provided by you. There are very simple scripts we can execute in terminal to get CSRF token and send it back in no time. Thank you. |
For example USer creation form has no csrf token validation, so that attacker can create own account by sending malicious link
POC :
The text was updated successfully, but these errors were encountered: