Details
-
Type:
Task
-
Status: Open
-
Priority:
Trivial
-
Resolution: Unresolved
-
Affects Version/s: None
-
Fix Version/s: Pending Closure
-
Component/s: None
-
Labels:
Description
I'm trying to persuade myself to what extent a Web Flow application would automatically not be vulnerable to CSRF. CSRF depends on an existing user "session", and, I think, either a stateless request that can be handled, or knowing exactly what state the user is in, so that you can cause an appropriate request to be sent for that state?
WebFlow is clearly not stateless. And, in fact, an external request, by default, causes a new execution key to be created, so only higher-scoped information (e.g. Session) would even be available, correct?
I guess an attacker familiar with the app could guess at e1 and sX, where X is some default path to the step they want to attack, but the victim would have to be there already? And even then, my testing seems to indicate that still a new execution will be started instead?
Sorry, I obviously don't know for certain, so I'm looking for a clear explanation of what is possible and why or why not.
I'd be happy to take this question elsewhere, but it seems like StackOverflow is the next-most-official support channel, and best I can tell it doesn't get much "official" attention. So I'm hoping this is an appropriate path.