Add CSRF tokens
Closed, InvalidPublic
Actions

Edit Task
Edit Related Tasks...
Create Subtask
Edit Parent Tasks
Edit Subtasks
Merge Duplicates In
Close As Duplicate
Edit Related Objects...
Edit Commits
Edit Mocks
Mute Notifications
Protect as security issue
Award Token
Flag For Later

Assigned To

Authored By

	zhuyifei1999
	Jan 22 2017, 4:42 PM

Description

All privileged writes should have CSRF tokens submitted along with the request.

Because tools.wmflabs.org is shared, and tool on the site can easily use a javascript to forge a request (even if it is a post, SOP can't help you here) and act on the user's behalf.

Event Timeline

zhuyifei1999 created this task.Jan 22 2017, 4:42 PM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 22 2017, 4:42 PM

DatGuy triaged this task as High priority.Jan 22 2017, 4:52 PM

DatGuy moved this task from Backlog to Security on the Tool-Labs-tools-LTA-Knowledgebase board.

MarcoAurelio added a project: Vuln-CSRF.Jan 29 2017, 12:39 PM

Project ended, tool deleted

Add CSRF tokensClosed, InvalidPublicActions

Description

Event Timeline

Add CSRF tokens
Closed, InvalidPublic
Actions