For various save, delete, move, and other actions that have data-writing consequences should be reworked to require a unique token for the user's session id so that someone emailing them a link to something like the 'delete-site' action won't cause them to accidentally delete their site.
This can likely be implemented as an add-on to the RequestContext mechanism so that these data-writing actions just have to call a single method to validate the token and do not need additional logic.
Testing For CSRF (YES – Severe)
Cross-Site Request Forgery (CSRF) is about forcing an end user to execute unwanted actions on a web
application in which he/she is currently authenticated. With little help of social engineering (like sending
a link via email/chat), an attacker may force the users of a web application to execute actions of the
attackers choosing. A successful CSRF exploit can compromise end user data and operation in case of
normal user. If the targeted end user is the administrator account, this can compromise the entire web
It is possible for an attacker to construct malicious script which would create another administrative user.
Rapid7 recommends that Middlebury College review the code for performing administrative tasks, such
as creating of new users. A unique token ID specific to a user’s session should be required of all
application URI within the Segue2 application.
Found in Rapid7 security audit.
Log in to post a comment.