Uploaded image for project: 'Spring Web Flow'
  1. Spring Web Flow
  2. SWF-1729

Describe CSRF implications of Web Flow




      I'm trying to persuade myself to what extent a Web Flow application would automatically not be vulnerable to CSRF. CSRF depends on an existing user "session", and, I think, either a stateless request that can be handled, or knowing exactly what state the user is in, so that you can cause an appropriate request to be sent for that state?

      WebFlow is clearly not stateless. And, in fact, an external request, by default, causes a new execution key to be created, so only higher-scoped information (e.g. Session) would even be available, correct?

      I guess an attacker familiar with the app could guess at e1 and sX, where X is some default path to the step they want to attack, but the victim would have to be there already? And even then, my testing seems to indicate that still a new execution will be started instead?

      Sorry, I obviously don't know for certain, so I'm looking for a clear explanation of what is possible and why or why not.

      I'd be happy to take this question elsewhere, but it seems like StackOverflow is the next-most-official support channel, and best I can tell it doesn't get much "official" attention. So I'm hoping this is an appropriate path.




            rstoya05-aop Rossen Stoyanchev
            breaux Doug Breaux
            0 Vote for this issue
            2 Start watching this issue