Add anti forgery tokens to umbraco forms and login page

[RyanDansie]

Anti forgery tokens are a widely used security best practice to prevent cross-site request forgery attacks. I've checked a recent website using Umbraco, which is running on version 8.6.4 and can see that the login page does not use anti forgery tokens. Without this it could be possible to perform unauthorised actions in Umbraco by convincing the administrator or other Umbraco user to click on a malicious link. In theory it could be used to gain access to Umbraco by creating a new user account, and there are many other possible malicious actions which could be carried out. Please consider adding anti forgery tokens on all state changing forms and login page. Note I'm adding this here rather than following the procedure for reporting a security vulnerability since cross-site request forgery attacks are already well understood throughout the industry and have been for many years, and it would be very simple for an attacker to determine that Umbraco doesn't use anti forgery tokens, therefore I don't believe I'm revealing anything that isn't already well known.

[Shazwazza]

The login and the rest of the back office is a SPA application and endpoints are called via JavaScript, it cannot be POSTed too with an html form in a browser because it only accepts a json content-type. It is not vulnerable to html forms CSRF and all REST endpoints for the back office are protected by CSRF using custom anti-forgery tokens used for SPA applications.

[nul800sebastiaan]

Thanks @RyanDansie - as Shannon says, we're confident that we've done the necessary work to prevent CSRF attacks but if you have a proof of concept then we're happy to hear about it through private channels. 👍