#32562 closed Bug (invalid)
Broken Authentication (Insecure CSRF and Session ID)
| Reported by: | cpulidomagentrack | Owned by: | nobody |
|---|---|---|---|
| Component: | CSRF | Version: | 3.1 |
| Severity: | Normal | Keywords: | |
| Cc: | cpulido@… | Triage Stage: | Unreviewed |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
We have currently carried out security tests on our system developed with Django, our security specialists report a vulnerability to us when a CSRF (Broken Authentication) token is obtained.
(Insecure CSRF and Session ID)), since if this token is obtained it is possible to reuse it several times allowing brute force attacks. Is it possible to modify the validity of this token or disable it when it is consumed in a post/put request and generate a new token within the session or limited the time valid from the inicial token CSRF ?
Change History (2)
comment:1 by , 4 years ago
| Resolution: | → needsinfo |
|---|---|
| Status: | new → closed |
comment:2 by , 4 years ago
| Resolution: | needsinfo → invalid |
|---|
Note:
See TracTickets
for help on using tickets.
There's not sufficient detail here to assess. As well it's a security report and should not be made in public.
Please follow up with sufficient detail to reproduce to security@…
This is highlighted before creating an issue: