Externally reported: csrf token on signups can be reused #114
Comments
Why? Even if the suggestion is designed to help mitigate the damage done by a leaked token, it seems somewhat arbitrary to recycle them on form submission. Also, keep in mind that a leaked token would be fairly difficult to make good on, because tokens are keyed to a particular open session. |
|
Do we have anything else in place to prevent someone from automating signup? I'm concerned about the abuse potential. |
The short answer is "yes", but I don't want to go into detail on a public forum. I think if you can connect up with Rhys, he should be able to give you some good background on the subject. But anyway, CSRF's aren't going to help with signup abuse unfortunately. Is there another reason that this proposed change is thought to be good practice? |
CSRF token should be invalidated after it's been used. This is externally reported and the tester is already aggravated because they slipped through the cracks in bugcrowd's queue, so sticking with the 30 day timeline on this one would be really helpful.
The text was updated successfully, but these errors were encountered: