CSRF validation leak
— at Version 2
Reported by: |
Jay <jay.shure@…> |
Owned by: |
nobody |
Component:
|
CSRF
|
Version:
|
1.3
|
Severity:
|
Normal
|
Keywords:
|
|
Cc:
|
|
Triage Stage:
|
Unreviewed
|
Has patch:
|
no
|
Needs documentation:
|
no
|
Needs tests:
|
no
|
Patch needs improvement:
|
no
|
Easy pickings:
|
no
|
UI/UX:
|
no
|
The CSRF validation compares request.COOKIES[settings.CSRF_COOKIE_NAME] and request.POST.get('csrfmiddlewaretoken', ) to see if a request is legal. But unfortunately both two values are provided by the client side, and they are the same. So it is easy for attackers to fake a request that no 403 will be thrown.
The attached project provides one url entry that returns "ok", unless CSRF fails. Following cmds show how to cheat.
# 200
curl http://127.0.0.1:8000
# 200
curl -G -d test=test http://127.0.0.1:8000
# 403
curl -d test=test http://127.0.0.1:8000
# 200
curl -d "test=test;csrfmiddlewaretoken=1" -b csrftoken=1 http://127.0.0.1:8000
This does not result in a CSRF vulnerability. curl is irrelevant - CSRF is about browsers being abused.