CSRF doesn't really make sense
Closed this issue · 4 comments
duraki commented
Having separate CSRF vulnerability implemented makes no sense in DVWA. Why is the whole DVWA vulnerable to CSRF anyhow? Shouldn't there be some kind of XSRF token applied in non-CSRF vulnerabilities and forms?
digininja commented
It is so that you can practice CSRF on its own as a standalone
vulnerability. It is like asking why have standalone XSS, why not put it in
the login form. I could, but then it would be harder to focus on the single
lesson.
The rest of the app isn't protected because as well as having specific
vulnerabilities in each section, the app as a whole is full of other
"hidden" issues for you to find.
…On Mon, 8 Apr 2024 at 04:52, ❂ ***@***.***> wrote:
Having separate CSRF vulnerability implemented makes no sense in DVWA. Why
is the whole DVWA vulnerable to CSRF anyhow? Shouldn't there be some kind
of XSRF token applied in non-CSRF vulnerabilities and forms?
—
Reply to this email directly, view it on GitHub
<#622>, or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAA4SWKA6Z3KPVIYY7WPPBTY4IIAHAVCNFSM6AAAAABF35PNPOVHI2DSMVQWIX3LMV43ASLTON2WKOZSGIZTAMJZGY3DQMA>
.
You are receiving this because you are subscribed to this thread.Message
ID: ***@***.***>
duraki commented
I agree, it makes sense in this particular case. I just think that DVWA is used quite a lot "as a standard" during DAST/SAST benchmarking (and development of the similar offsec tools), therefore these produce false positives and are reported during the analysis. Nevertheless, I understand your point, just wanted to share my personal view of it. Appreciated the response, and thanks for years of development @digininja.
digininja commented
Trying to have humans trying to contend with csrf protections while also
learning about SQLi would be a bit much.
…On Mon, 8 Apr 2024, 20:22 ❂, ***@***.***> wrote:
I agree, it makes sense in this particular case. I just think that DVWA is
used quite a lot "as a standard" during DAST/SAST benchmarking (and
development of the similar offsec tools), therefore these produce false
positives and are reported during the analysis. Nevertheless, I understand
your point, just wanted to share my personal view of it. Appreciated the
response, and thanks for years of development @digininja
<https://github.com/digininja>.
—
Reply to this email directly, view it on GitHub
<#622 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAA4SWL5XCC6W7ETQIBXAJ3Y4LU7NAVCNFSM6AAAAABF35PNPOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDANBTGQ4TGNZUG4>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
duraki commented
Haha, absolutely. Lets deffo keep it this way.