Answer the question
In order to leave comments, you need to log in
C
C
Cat Anton2016-08-22 03:06:31
Cat Anton, 2016-08-22 03:06:31
Does it make sense to protect the "Exit" button from CSRF?
All the best.
I accidentally stumbled upon the code for protecting the user's logout request: AccountController.php#L90-L99
The author shows the confirmation form, and only after receiving confirmation logs out the user, although it could have been simpler:
<form src="/logout">
<input type="hidden" value="csrf-token">
<input type="submit" value="Выход">
</form>Do I need to protect the user's logout request from CSRF?
How could an attacker exploit this vulnerability in this case?
3 answer(s)
@27cm
@Denormalization
@Protos
N
Nazar Mokrinsky, 2016-08-22 @27cm
In my opinion, it is good practice to protect against CSRF anytime, anywhere.
D
D', 2016-08-22 @Denormalization
>How can an attacker exploit this vulnerability in this case?
Find the bug on the login page. But in order to operate it, the user needs to go there. Therefore, you need to forcibly log out the user so as not to wait for this moment.
Or, for example, to prevent the administrator from doing something (for example, to ban a user) by forcibly kicking him out of the system ...
In general, this is a matter of personal paranoia. They will not find CSRF here, they will find another error elsewhere.
U
Uncle Seryozha, 2016-08-24 @Protos
For example, I have a self-written program under my account that works (looking for clients), I would be offended if someone married me
Similar questions
A
A
O
ONEGin2013-05-27 12:01:00
Script substitution on the way to the client (possibly by the provider)
4Reply
C
K
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question