Issue: FINDING-060 - OAuth State Parameter Not Bound to User Agent Session (Login CSRF)
Labels: bug, security, priority:high, asvs-level:L2
ASVS Level(s): [L2-only]
Description:
Summary
The OAuth state parameter is generated with cryptographic randomness but is not bound to the specific user-agent (browser session) that initiated the flow. Any HTTP client possessing a valid state value can complete the callback, regardless of whether it was the same user agent that initiated the authorization request. This enables Login CSRF attacks where an attacker can trick a victim into completing the attacker's OAuth flow, logging the victim in as the attacker.
Details
Affected Files and Lines:
src/asfquart/generics.py:47-93 - OAuth flow without session binding
The state parameter validates CSRF but is not bound to the initiating session, allowing cross-session completion.
Recommended Remediation
Bind the OAuth state to the user-agent using a short-lived cookie:
# During login initiation
nonce = secrets.token_hex(16)
state = hashlib.sha256(nonce.encode()).hexdigest()
# Store nonce with state
pending_states[state] = {
'nonce': nonce,
'created': time.time(),
'redirect': redirect_to
}
# Set cookie
response = quart.redirect(oauth_url)
response.set_cookie(
'oauth_nonce',
nonce,
max_age=workflow_timeout,
secure=True,
httponly=True,
samesite='Lax'
)
# During callback
cookie_nonce = request.cookies.get('oauth_nonce')
if not cookie_nonce or state_data['nonce'] != cookie_nonce:
raise ValueError("OAuth state not bound to session")Acceptance Criteria
References
- Source reports: L2:10.1.2.md, L2:10.2.1.md
- Related findings: FINDING-061, FINDING-062
- ASVS sections: 10.1.2, 10.2.1
Priority
High
Issue: FINDING-060 - OAuth State Parameter Not Bound to User Agent Session (Login CSRF)
Labels: bug, security, priority:high, asvs-level:L2
ASVS Level(s): [L2-only]
Description:
Summary
The OAuth state parameter is generated with cryptographic randomness but is not bound to the specific user-agent (browser session) that initiated the flow. Any HTTP client possessing a valid state value can complete the callback, regardless of whether it was the same user agent that initiated the authorization request. This enables Login CSRF attacks where an attacker can trick a victim into completing the attacker's OAuth flow, logging the victim in as the attacker.
Details
Affected Files and Lines:
src/asfquart/generics.py:47-93- OAuth flow without session bindingThe state parameter validates CSRF but is not bound to the initiating session, allowing cross-session completion.
Recommended Remediation
Bind the OAuth state to the user-agent using a short-lived cookie:
Acceptance Criteria
References
Priority
High