Re: [Cppcms-users] Potential Bug in CSRF Validation

[Artyom B. <art...@gm...>]

> Now, let's consider this situation:
> - Attacker gets all information about the form by inspecting HTML code.
> - Then post form data with cURL without any session cookie values and hidden "_csrf" variable and header.
> In this case, CppCMS will consider these requests as new session. But since "_csrf" value in the session is not generated until the response is written back; CSRF validation will succeed silently.
>

It is correct behavior.
CSRF is an attempt to use victims credentials to perform operations on
his behalf.

For each POST request there are two kinds of things you want to check:

1. The user has permissions to perform an operation - for example
add/update content.
2. It is actually POST by user and not CSRF.

Now if you want to protect a general form from accessing by users that
hadn't seen the form from browser just create a session - call it
anonymous - session will include token.
However, everything that anonymous user can do attacker can do as well
by just obtaining his own session cookie.

CSRF protection does not protect against general POSTs, it protects
uses who logged in against forgery.

> Maybe, if we should change validate_csrf_token's logic as:
> - if session[_csrf] empty, then return false.
> - if token is empty, then return false.
> - if session[_csrf] == token, return true; otherwise return false.

The problem it will fail various kind of forms that do not actually
require any session.

> After this change, if the session is new and it's POST method and form::load is called; CSRF validation will throw an exception (as expected).
>
> In the current situation, it seems that there is cross-site forgery attack possibility in very specific cases. But I am not sure if this is feature or bug.
>
> Thank you.
>
> Best regards,
> Nazim Can.
>
> --
> С уважением,
> Назым-Джан Бэдир


Regards,
   Artyom