Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CSRF protection can be bypassed with empty header and empty cookie #74

Closed
willemvermeer opened this issue Mar 10, 2020 · 1 comment
Closed

Comments

@willemvermeer
Copy link

willemvermeer commented Mar 10, 2020

Hi,
When you send a POST to an endpoint protected by randomTokenCsrfProtection and pass in an empty X-XSRF-TOKEN header and a XSRF-TOKEN cookie with empty value, the filter will let you pass.

I think is due to the check in randomTokenCsrfProtection on line 26:
if (submitted == cookie) {
pass
}
but the value itself is not inspected and could possibly be empty.

Hope this can be fixed, thanks,
Willem

kijanowski added a commit that referenced this issue Mar 11, 2020
adamw added a commit that referenced this issue Mar 11, 2020
@adamw
Copy link
Member

adamw commented Mar 11, 2020

Fixed in 0.5.11. Thanks for the report!

@adamw adamw closed this as completed Mar 11, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants