v
v copied to clipboard
vweb CSRF protection vulnerabilities
Describe the bug
The csrf protection of vweb is faulty and outdated.
- When using the default app from the documentation the csrf protection can easily be bypassed by sending an arbitrary token.
- Doesn't properly implement the
__Host-
cookie prefix RFC - Can't test it in dev.
- Tokens are not tied to user sessions or stored in anyway.
Expected Behavior
I expect to see HTTP 403 forbidden
Current Behavior
The CSRF token checker was bypassed.
Reproduction Steps
Run the app from the documenation
module main
import vweb
import vweb.csrf
// embeds the csrf.App struct in order to empower the struct to protect against CSRF
struct App {
csrf.App
}
fn main() {
vweb.run_at(&App{}, vweb.RunParams{
port: 8080
}) or { panic(err) }
}
fn (mut app App) index() vweb.Result {
// Set a Csrf-Cookie (Token will be generated automatically)
app.set_csrf_cookie()
// Get the token-value from the csrf-cookie that was just set
token := app.get_csrf_token() or { panic(err) }
return app.text("Csrf-Token set! It's value is: ${token}")
}
fn (mut app App) foo() vweb.Result {
// Protect this handler-function against CSRF
app.csrf_protect()
return app.text('Checked and passed csrf-guard')
}
And sent a curl request:
curl --cookie "__Host-Csrf-Token=test; Secure" localhost:8080/foo
Checked and passed csrf-guard
Possible Solution
The CSRF module needs to be redone.
Additional Information/Context
Acknowledgements
- [X] I can implement the new module
- [X] This change may include a breaking change.
V version
0.3.4
Environment details (OS name and version, etc.)
V full version: V 0.3.4 b255fef.638f0f6 OS: linux, Kali GNU/Linux Rolling (WSL 2) Processor: 12 cpus, 64bit, little endian, Intel(R) Core(TM) i7-10750H CPU @ 2.60GHz
getwd: /home/casper/code/v vexe: /opt/v/v vexe mtime: 2023-05-02 14:38:16
vroot: OK, value: /opt/v VMODULES: OK, value: /home/casper/.vmodules VTMP: OK, value: /tmp/v_1000
Git version: git version 2.39.2 Git vroot status: 0.3.4-7-g638f0f69 .git/config present: true
CC version: cc (Debian 12.2.0-14) 12.2.0 thirdparty/tcc status: thirdparty-linux-amd64 12f392c3