-
-
Notifications
You must be signed in to change notification settings - Fork 10.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[🐛] CSRF Issue #1421
Comments
Thanks a lot for opening your first issue with us! 🧡 We'll get back to you shortly! ⏳ If it was a Support Request, please consider asking on the community chat next time! 💬 |
That error path is only taken when you are not logged in. For the profile page the I'll try it later today or tomorrow as well to verify. |
I get the same behavior you describe, but in the HTML Editor I can see Did you try with an older browser to make sure it's not an issue similar to #1340? |
Please check if the attack is possible with an older browser version. I'll also add a note to the solution that this won't work with newer browsers. |
Same Issues with Chrome and Fireforx. Tried with opera 57.0.3098.91 (number taken by guess, relase date 06.12.2018 ) and get ERR_BLOCKED_BY_RESPONSE Thanks for confirming the issue ;) |
Yeah, maybe it's actually something fixed on the HTML Editor's side... I tried Firefix 59 (2018) and it also didn't work. Will try Firefox 31 (2015) next, and if that doesn't work, then maybe the challenge is actually broken. |
Ooookay, Firefox 31 was too old to run Juice Shop, but Firefox 50 did the trick. It successfully changes the username into |
Okay, Firefox 50 updated itself to 56, but the attack still works. It seems instead of the |
Triggers of solution of CSRF challenge on Origin or Referrer header not working. |
The notification is still missing on 12.0.1 even when the username is successfully changed via CSRF from the htmledit.squarefree.com site. |
But you are both using a sufficiently old browser, @Sybrid203 and @niloct? Which versions exactly, so we can try to reproduce it? |
@bkimminich |
@bkimminich @Sybrid203 installing firefox 50 did the trick. I spent more than an hour trying to make current Chrome/Firefox/Safari work on my mac. Latest Safari almost worked (can remove CORS block from Developer menu), it was missing a Perhaps if the app set this it could work ? I just gave up, but got the challenge accepted. |
This thread has been automatically locked because it has not had recent activity after it was closed. 🔒 Please open a new issue for regressions or related bugs. |
🐛 Bug report
Description
While doing CSRF challenge (with or without 'solution' code) 2 errors are presented:
Error: Blocked illegal activity by ::ffff:127.0.0.1
Error [ERR_HTTP_HEADERS_SENT]: Cannot set headers after they are sent to the client
Is this a regression?
Don't know
🔬 Minimal Reproduction
🔥 Exception or Error
🌳 Your Environment
Additional Information
Tried on
Chrome: 83.0.4103.116
FF: 77.0.1
The text was updated successfully, but these errors were encountered: