v icon indicating copy to clipboard operation
v copied to clipboard

Published 20 hours ago verified publisher icon vlang

vweb CSRF protection vulnerabilities

Open Casper64 opened this issue 1 year ago • 0 comments

Describe the bug

The csrf protection of vweb is faulty and outdated.

  • When using the default app from the documentation the csrf protection can easily be bypassed by sending an arbitrary token.
  • Doesn't properly implement the __Host- cookie prefix RFC
  • Can't test it in dev.
  • Tokens are not tied to user sessions or stored in anyway.

Expected Behavior

I expect to see HTTP 403 forbidden

Current Behavior

The CSRF token checker was bypassed.

Reproduction Steps

Run the app from the documenation

module main

import vweb
import vweb.csrf

// embeds the csrf.App struct in order to empower the struct to protect against CSRF
struct App {
	csrf.App
}

fn main() {
	vweb.run_at(&App{}, vweb.RunParams{
		port: 8080
	}) or { panic(err) }
}

fn (mut app App) index() vweb.Result {
	// Set a Csrf-Cookie (Token will be generated automatically)
	app.set_csrf_cookie()

	// Get the token-value from the csrf-cookie that was just set
	token := app.get_csrf_token() or { panic(err) }

	return app.text("Csrf-Token set! It's value is: ${token}")
}

fn (mut app App) foo() vweb.Result {
	// Protect this handler-function against CSRF
	app.csrf_protect()
	return app.text('Checked and passed csrf-guard')
}

And sent a curl request:

curl --cookie "__Host-Csrf-Token=test; Secure" localhost:8080/foo
Checked and passed csrf-guard

Possible Solution

The CSRF module needs to be redone.

Additional Information/Context

Acknowledgements

  • [X] I can implement the new module
  • [X] This change may include a breaking change.

V version

0.3.4

Environment details (OS name and version, etc.)

V full version: V 0.3.4 b255fef.638f0f6 OS: linux, Kali GNU/Linux Rolling (WSL 2) Processor: 12 cpus, 64bit, little endian, Intel(R) Core(TM) i7-10750H CPU @ 2.60GHz

getwd: /home/casper/code/v vexe: /opt/v/v vexe mtime: 2023-05-02 14:38:16

vroot: OK, value: /opt/v VMODULES: OK, value: /home/casper/.vmodules VTMP: OK, value: /tmp/v_1000

Git version: git version 2.39.2 Git vroot status: 0.3.4-7-g638f0f69 .git/config present: true

CC version: cc (Debian 12.2.0-14) 12.2.0 thirdparty/tcc status: thirdparty-linux-amd64 12f392c3

Casper64 avatar May 02 '23 14:05 Casper64