-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathcsrf-double-submit.mjs
More file actions
41 lines (41 loc) · 1.29 KB
/
Copy pathcsrf-double-submit.mjs
File metadata and controls
41 lines (41 loc) · 1.29 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
export default {
id: 'csrf-double-submit',
scope: 'cross',
severity: 'warn',
title: 'Double-submit CSRF: matching token in cookie and header',
match(run) {
const hits = [];
const csrfHeaderNames = [
'x-csrf-token',
'x-csrftoken',
'x-xsrf-token',
'csrf-token',
'x-anti-csrf',
];
for (const req of run.requests) {
for (const hName of csrfHeaderNames) {
const headerVal = req.headers[hName];
if (!headerVal) continue;
for (const [cookieName, cookieVal] of Object.entries(req.cookies)) {
if (cookieVal === headerVal || decodeURIComponent(cookieVal) === headerVal) {
hits.push({
request_id: req.id,
endpoint: `${req.method} ${req.path}`,
header_name: hName,
cookie_name: cookieName,
});
return hits;
}
}
}
}
return hits;
},
explanation:
'A double-submit CSRF pattern was detected: a cookie value is mirrored ' +
'into a custom header on requests. Generic shape, no framework-specific name.',
recommendation:
'In replay client: read the cookie and forward its value into the matching ' +
'header. Match exactly, including URL-decoding if needed.',
execution_model: 'http_only',
};