Contrib.social

CSRF tokens in GET requests can be leaked and reused; stop encouraging server-site state changes with GET requests

Open on Drupal.org →
Created on 30 August 2023, over 1 year ago

I originally reported this to the security team, but they cleared it to be discussed in public.

Problem/Motivation

The routing system of Drupal Core offers a CSRF protection mechanism (mainly) for GET requests. This mechanism adds a CSRF token as a query parameter to the URL. There are two (related) problems:

1. Sensitive information within URLs may be logged in various locations, including the user's browser, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. They may be disclosed to third parties via the Referer header when any off-site links are followed. Placing session tokens into the URL increases the risk that they will be captured by an attacker. Therefore, it is also an OWASP recommendation not to place CSRF tokens in the URL. If an attacker is able to intercept the CSRF token of the user, the attacker is able to conduct a CSRF attack on the specific user for the specific protected action.

2. GET requests should (by specification) never be used for server-side state-changing actions in the first place. Nevertheless, Core and many contributed modules do so, although even Drupal's own documentation stated that this is bad practice in the past.

CSRF tokens in GET requests are therefore not only somewhat insecure (1.), but shouldn't also never be necessary (2.) if strictly following the HTTP specification and secure coding guidelines.

Therefore, it is in my opinion questionable whether this core feature should even exist in its current form since it encourages the usage of GET requests for server-side state-changing actions. Currently, the feature only seems to exist to make a bad practice a bit (or much) "less bad".

Proposed resolution

tbd

Remaining tasks

  • Discuss if this feature should still exist
  • Discuss potential impact of removal of feature
  • ...
📌 Task
Status

Active

Version

11.0 🔥

Component
Routing 

Last updated 4 days ago

Created by

nico.b

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @nico.b
  • Comment 3 months ago
    🇫🇷France prudloff Lille
  • Comment 11 days ago
    🇮🇳India msankhala Bikaner, Rajasthan

    I had a security scan with Burp Suite for a Drupal 10 website and Burp suite also reported the same issue with Medium severity. Below is one sample of such issue reported by Burp suite.

    1. Medium severity issues
Next
1.1. Session token in URL
Next

There are 3 instances of this issue:

/
/user/dashboard
/user/edit-profile

Issue background
Sensitive information within URLs may be logged in various locations, including the user's browser, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. They may be disclosed to third parties via the Referer header when any off-site links are followed. Placing session tokens into the URL increases the risk that they will be captured by an attacker.

Issue remediation
Applications should use an alternative mechanism for transmitting session tokens, such as HTTP cookies or hidden fields in forms that are submitted using the POST method.

Vulnerability classifications
CWE-200: Information Exposure
CWE-384: Session Fixation
CWE-598: Information Exposure Through Query Strings in GET Request
CAPEC-593: Session Hijacking


1.1.1. /
Next
Summary
Severity:  	Medium
Confidence:  	Firm
Host:  	
Path:  	/
Issue detail
The response contains the following links that appear to contain session tokens:
/admin/flush/plugin?token=byJZOaxpUgF1dZRzuNCjxHdTmTU5y_YOkn1fFcdDGVQ
/admin/flush/rendercache?token=dlTbfFgJ2GZEybPTTMH57iaBdzIYTdJG7UNenPdSzrQ
/admin/flush/theme_rebuild?token=reqwFvxP-LTFodvzyPG6t-sXN9wb3QAofyFFjHV3WWY
/run-cron?token=QF0VrLooJ81Z_0mRNoxnS3SamlcyMD0inN2NChxxnkk
/admin/flush/menu?token=eALtewSxjWVO7SCEn0GZxu8LUJaxkXlo20OKKabBaJs
/admin/flush?token=xIXNfpSObi4TNVGsoIYiUr13531hbaNpq6qhKBNiYbc
/admin/flush/twig?token=qzFQkY40jfUxponYKRl0gj3FnZXiKdqZCnOy_fO0pOo
/admin/flush/static-caches?token=dTWgAZ27g-hR_D4Lb2MrFXSyZATqMG_Vjd2Y0JC6u1s
/admin/flush/views?token=XLrOpUmAxNMPG2xrjvDawQPgLfLKGSL99_9YOhpzYsg
/admin/flush/cssjs?token=2KlTAMSzJcSa3XFs4gh5hvn186leaGHNVushmCSydR8
contrib.social Blog FAQ Discussions
Production build 0.71.5 2024