User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:15.0) Gecko/20100101 Firefox/15.0.1 Build ID: 20120905151427 Steps to reproduce: If you comment on an app and rate it (https://marketplace.mozilla.org/app/twitter/reviews/) that comment can be deleted via XSRF. The request for that looks like this: POST: https://marketplace.mozilla.org/app/twitter/reviews/383640/delete Host: marketplace.mozilla.org User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:15.0) Gecko/20100101 Firefox/15.0.1 Accept: */* Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Connection: keep-alive X-CSRFToken: D5GWI53FQ2jjzZ5YhVpMeDU9LRKwG87i X-Requested-With: XMLHttpRequest Referer: https://marketplace.mozilla.org/app/twitter/reviews/ Cookie:Cookie Pragma: no-cache Cache-Control: no-cache Content-Length: 0 Please note the X-CSRFToken header - it is not being validated on the server side but probably should be.
I attempted to reproduce this and was unsuccessful. Using ZAP I deleted the token and got an error. mfuller tested as well by editing the token and also getting an error. Could you provide a more complete set of steps on how you were able to accomplish this?
The errors received when editing the token are the same as when a direct POST to the URL is done: <h2>Oops! Not allowed.</h2> <p>You tried to do something that you weren't allowed to.</p> <p>Try going back to the previous page, refreshing and trying again.</p> This is when altering a single letter in the X-CSRFToken header. It seems the header is being checked, but Christian, please detail the steps because we may be missing something.
I'm sorry, false alarm. I've used a stupid Firefox plugin called Tamper Data before I filed this bug, not a proper HTTP proxy. Apparently Tamper Data doesn't let me tamper with HTTP headers (works fine with request params usually). Even though I modified the XSRF header, Tamper Data still sent the original one to the server, thus the 200.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.