Possible flaw

Question

Possible flaw

arjndr opened this issue 7 years ago · 2 comments

I am relatively new to back end programming and Golang, but I thought it'd be a good idea to post this. I am able to "authenticate" requests on the example code, by passing the csrf_token cookie and form data to cURL like this:

curl http://localhost:8000 -d "name=abcd&csrf_token=dEdKyAmXFbvNZGcWvVcBQVAb8IlVwS10SAFqwSQ/k7IkMvQbmRzMHV4M5V197UPycAEOncxxler1It9TtHbpiA==" --cookie "csrf_token=UHW+05CL2aaTaIJLwLpCsyAa/hSZsLievSO1kpBJejo="

and then the response is

<!doctype html>
<html>
<body>

<p>Your name: abcd</p>

<form action="/" method="POST">
<input type="text" name="name">


<input type="hidden" name="csrf_token" value="U4/bPZUAKZ&#43;wezr8YcWkdEpsJ&#43;2gnLt6UPPXzIhXAKYD&#43;mXuBYvwOSMTuLehf&#43;bHanbZ&#43;TksA&#43;Tt0GJeGB56nA==">
<input type="submit" value="Send">
</form>
</body>
</html>

I'm not completely sure if this is an expected behavior or a flaw.

Answer 1 · 2018-06-20T20:58:35.000Z

Not a flaw, as CSRF is designed to prevent browser based attacks, where you (the victim) are tricked into clicking (or otherwise triggering) a link that uses your logged in session on the other site to do something for the attacker - e.g. change your email address to theirs, transfer money to them, etc. But with this library, your application now requires both a cookie and a form-value to be submitted (“double submit method”), and they must match. The attacker cannot access your cookies (due to same origin policy) & thus cannot derive a valid form value to pass the CSRF check. Hope that makes sense.

…

On Wed, Jun 20, 2018 at 8:07 AM Akash Rajendra ***@***.***> wrote: I am relatively new to back end programming and Golang, but I thought it'd be a good idea to post this. I am able to "authenticate" requests on the example code, by passing the csrf_token cookie and form data to cURL like this: curl http://localhost:8000 -d "name=abcd&csrf_token=dEdKyAmXFbvNZGcWvVcBQVAb8IlVwS10SAFqwSQ/k7IkMvQbmRzMHV4M5V197UPycAEOncxxler1It9TtHbpiA==" --cookie "csrf_token=UHW+05CL2aaTaIJLwLpCsyAa/hSZsLievSO1kpBJejo=" and then the response is <!doctype html> <html> <body> <p>Your name: abcd</p> <form action="/" method="POST"> <input type="text" name="name"> <input type="hidden" name="csrf_token" value="U4/bPZUAKZ+wezr8YcWkdEpsJ+2gnLt6UPPXzIhXAKYD+mXuBYvwOSMTuLehf+bHanbZ+TksA+Tt0GJeGB56nA=="> <input type="submit" value="Send"> </form> </body> </html> I'm not completely sure if this is an expected behavior or a flaw. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#48>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AABIcLhe7jx_MyR3-cJBJpoJp0AxW2vjks5t-mUogaJpZM4Uvdaj> .

Answer 2 · 2018-06-21T17:51:45.000Z

Ahh, makes sense. Thanks for the enlightenment 😄