You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
API2 failing due to CSRF check. Not correctly following cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#identifying-source-origin-via-originreferer-header
#11182
I don't believe the logical steps follow what is advised in the two paragraphs (may be missing something) and also Referer header is unreliable an easily spoofed.
Result /api2/ request which are used for quote and uploads/attachments will fail as not all ajax request will have Referer header, in fact the likelihood is that they won't these days.
The text was updated successfully, but these errors were encountered:
"If the Origin header is present, verify that its value matches the
target origin. Unlike the Referer, the Origin header will be present in
HTTP requests that originate from an HTTPS URL."
"If the Origin header is not present, verify the hostname in the Referer header matches the target origin. This method of CSRF mitigation is also commonly used with unauthenticated requests, such as requests made prior to establishing a session state, which is required to keep track of a synchronization token."
You are first checking if host matches the refer rather than first checking if the origin exists, this is the wrong way round. Of the Origin header is present you should not be checking the Referer.
I don't believe you are correctly following the wording of this check as indicated by your comment in code
vanilla/library/core/class.request.php
Lines 810 to 814 in f547100
I don't believe the logical steps follow what is advised in the two paragraphs (may be missing something) and also Referer header is unreliable an easily spoofed.
Result /api2/ request which are used for quote and uploads/attachments will fail as not all ajax request will have Referer header, in fact the likelihood is that they won't these days.
The text was updated successfully, but these errors were encountered: