3

Is it okay that a website displays the csrf_token as a URL parameter? I have a feeling that I shouldn't be able to see it, but I am no quite sure. If someone can clear this up a bit, I would be grateful!

Sayed Alesawy
  • 425
  • 2
  • 6
  • 18

2 Answers2

5

No, It's not acceptable.

Passing tokens in URLs isn't normally an acceptable solution. Actually it's in some cases considered a vulnerability.

What if the Website not running under HTTPS?

What if it's running under HTTPS but HSTS isn't enabled on the server? Then SSL-Stripping techniques would be possible and other MITM attacks.

Even if it's running under HTTPS and HSTS is enabled that won't solve the issue.

The token could be exposed in:

  • Referer Header
  • Web Logs
  • Shared Systems
  • Browser History
  • Browser Cache

For more information refer to:

Information exposure through query strings in url

OWASP CSRF Cheatsheet

shawkyz1
  • 886
  • 5
  • 19
  • Thanks for the clarification. I have tried to re-generate the problem on that site. It happens every time I change my profile picture, possibly every time the site sends a POST request. Do you think it's worth reporting to the site? – Sayed Alesawy Jan 08 '18 at 20:37
2

The typical characteristics of a CSRF Token are as follows:

-Unique per user session - Large random value - Generated by a cryptographically secure random number generator

CSRF tokens in GET requests are potentially leaked at several locations: browser history, HTTP log files, network appliances that make a point to log the first line of an HTTP request, and Referer headers if the protected site links to an external site so it is not recommended.

fcerullo
  • 621
  • 4
  • 3