C
C
Cat Anton2016-08-22 03:06:31
Burglary protection
Cat Anton, 2016-08-22 03:06:31

Does it make sense to protect the "Exit" button from CSRF?

All the best.
I accidentally stumbled upon the code for protecting the user's logout request: AccountController.php#L90-L99
The author shows the confirmation form, and only after receiving confirmation logs out the user, although it could have been simpler:

<form src="/logout">
    <input type="hidden" value="csrf-token">
    <input type="submit" value="Выход">
</form>

Do I need to protect the user's logout request from CSRF?
How could an attacker exploit this vulnerability in this case?

Answer the question

In order to leave comments, you need to log in

3 answer(s)
N
Nazar Mokrinsky, 2016-08-22
@27cm

In my opinion, it is good practice to protect against CSRF anytime, anywhere.

D
D', 2016-08-22
@Denormalization

>How can an attacker exploit this vulnerability in this case?
Find the bug on the login page. But in order to operate it, the user needs to go there. Therefore, you need to forcibly log out the user so as not to wait for this moment.
Or, for example, to prevent the administrator from doing something (for example, to ban a user) by forcibly kicking him out of the system ...
In general, this is a matter of personal paranoia. They will not find CSRF here, they will find another error elsewhere.

U
Uncle Seryozha, 2016-08-24
@Protos

For example, I have a self-written program under my account that works (looking for clients), I would be offended if someone married me

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question