Описание
gorilla/csrf CSRF vulnerability due to broken Referer validation
Summary
gorilla/csrf is vulnerable to CSRF via form submission from origins that share a top level domain with the target origin.
Details
gorilla/csrf does not validate the Origin header against an allowlist. Its executes its validation of the Referer header for cross-origin requests only when it believes the request is being served over TLS. It determines this by inspecting the r.URL.Scheme value. However, this value is never populated for "server" requests per the Go spec, and so this check does not run in practice.
PoC
- create trusted origin
target.example.testprotected with gorilla/csrf and served over TLS hosting form on/submit - create attacker origin
attack.example.testserved over TLS - attacker exfiltrates token & cookie combination from
target.example.test - attacker sets exfiltrated cookie with
domain=.example.test and path=/submit- as the cookie has a more specific path than
/(the default for CSRF cookies) it will be sent first by the browser on submit to our target origin
- as the cookie has a more specific path than
- submit form from
attack.example.testwith exfiltrated CSRF form token - observe valid form submission as
attack.example.testOrigin / Referer headers are not validated.
Impact
This vulnerability allows an attacker who has gained XSS on a subdomain or top level domain to perform authenticated form submissions against gorilla/csrf protected targets that share the same top level domain.
This bug has existed in gorilla/csrf since its initial release in 2015.
Ссылки
Пакеты
github.com/gorilla/csrf
< 1.7.3
1.7.3
Связанные уязвимости
gorilla/csrf provides Cross Site Request Forgery (CSRF) prevention middleware for Go web applications & services. Prior to 1.7.2, gorilla/csrf does not validate the Origin header against an allowlist. Its executes its validation of the Referer header for cross-origin requests only when it believes the request is being served over TLS. It determines this by inspecting the r.URL.Scheme value. However, this value is never populated for "server" requests per the Go spec, and so this check does not run in practice. This vulnerability allows an attacker who has gained XSS on a subdomain or top level domain to perform authenticated form submissions against gorilla/csrf protected targets that share the same top level domain. This vulnerability is fixed in 1.7.2.
gorilla/csrf provides Cross Site Request Forgery (CSRF) prevention middleware for Go web applications & services. Prior to 1.7.2, gorilla/csrf does not validate the Origin header against an allowlist. Its executes its validation of the Referer header for cross-origin requests only when it believes the request is being served over TLS. It determines this by inspecting the r.URL.Scheme value. However, this value is never populated for "server" requests per the Go spec, and so this check does not run in practice. This vulnerability allows an attacker who has gained XSS on a subdomain or top level domain to perform authenticated form submissions against gorilla/csrf protected targets that share the same top level domain. This vulnerability is fixed in 1.7.2.
gorilla/csrf provides Cross Site Request Forgery (CSRF) prevention mid ...
