What would be the security loophole if a logoff request is not validated with XSRF/CSRF token?
Do you need XSRF/CSRF token for a logoff request?
140 views Asked by Ming Zhu At
2
There are 2 answers
1
John Wu
On
Could be combined with an OWASP A10, e.g. the attacker also provides a return URL that points somewhere bad, e.g. a fake "sign on again" page where he can capture your password.
Related Questions in SECURITY
- HTTPS configuration in Spring Boot, server returning timeout
- HSM ZKA control mask values
- OWASP Amass Subcommands
- Is there a need for BPF Linux namespace?
- Error when trying to execute a binary compiled in a Kali Linux machine on an Ubuntu system
- When sanitize/encode while implementing tags system like on SO
- spring security version in spring-boot-starter-security
- I am currently trying to implement a rudimentary firewall from a video I watched but the nimda worm detection is not working and i do not know why?
- Is it possible for `sudo` to fail temporarily with the correct password? Hacking suspected
- Is it viable proxying all my mobile apps requests, to some kind knowing that a request is coming from a secure source
- What abilities should I concentrate on while bug hunting, and how can I improve the quality of my bug bounty reports?
- System.ArgumentOutOfRangeException: I passed this error in every single program
- How to prevent users from creating custom client apps?
- Does server-side content security policy exist for youtube video player API, app, mod apks and website?
- Can we pass a hostname/IP address as a query string in a GET request in REST API
Related Questions in CSRF
- Django admin csrf token not set
- 400 Bad Request From React Axios Graphql SageX3
- Laravel 11 with MongoDB: CSRF token doesn't work / 419 error on Login
- How to handle CSRF token with Firebase, Angular, and Express?
- Is checking whether req.body.csrfToken and req.cookies.csrfToken match is enough to prevent CSRF attack?
- When I turn on CSRF protection, it forbids all of my requests | Spring Security
- "An expected CSRF token cannot be found" Springboot 3.2.1 gateway + Springsecurity 6.2.1
- Django application experiencing "CSRF token missing" error specifically for POST requests when deployed with Nginx and Gunicorn
- NextJs not setting the cookie from django csrf_token
- Spring Security how to stop creating new CSRF cookie everytime a request is called
- 419 token mismatch laravel api and react
- Does clerk protect against CSRF for all form requests or just login/sign up?
- Django App not returning csrf token on get response.cookie consistently
- 403 error with SvelteKit form submissions behind ALB with TLS termination
- csrf error when simulating a post request in django
Related Questions in LOGOUT
- Typescript Mongoose Error 'not assignable to type 'string''
- Google Workspace + AWS Cognito | Single Logout using SAML Integration
- Automatically log the user out when the browser or tab closes
- navigation.navigate(screenName) not working in React Native
- Keycloak-Angular - Redirect to "Confirm Logout" page when logging out after a page refresh
- Woocomerce logout link
- Django logout view shows a blank page and does not log out a user
- JWT Auth: How is irrevocability an acceptable tradeoff?
- Reset the Navigation Stack after logout in NextJS(App Router)
- .Net 8: Cannot logout user with "Individual Accounts Auth" template
- Users experiencing logouts too fast in CakePHP 4
- The GET method is not supported for route logout. Supported methods: POST in laravel when manually type logout in url
- NodeJS - Logging out a user but browser back button allows me to go into previous session
- Auth0 redirects me to the login page when I add a logout button to an Angular component
- Running logout with react and spring boot does not work well
Related Questions in LOGOFF
- Logoff remote system using c++
- Figure out which desktop is active at the moment from the Win service
- powershell code to remotely logg off a user session when a particular event ID is encountered in system logs
- Force logoff users who were logged in via Fiori launchpad
- Sign Out, Restart and Shutdown Access Denied (5) when invoking from VB.NET
- Is there a way to make two sibling components have asynchronous knowledge of a state in ReactJS?
- Log off users remotely
- log off using task manager and .bat file on Windows 7 Pro
- How to run a fully functional batch file from a python script?
- Script to Log Off Specific Disconnected User via PS
- VB.Net Pausing Windows Shutdown or Logoff
- Related Logon and Logoff events in Windows using Win32_NTLogEvent class
- Automatically logout off web page Aurelia MVC5 authentication on ExpireTimeSpan
- Windows 7 - Black screen at logoff / switch user
- Do you need XSRF/CSRF token for a logoff request?
Popular Questions
- How do I undo the most recent local commits in Git?
- How can I remove a specific item from an array in JavaScript?
- How do I delete a Git branch locally and remotely?
- Find all files containing a specific text (string) on Linux?
- How do I revert a Git repository to a previous commit?
- How do I create an HTML button that acts like a link?
- How do I check out a remote Git branch?
- How do I force "git pull" to overwrite local files?
- How do I list all files of a directory?
- How to check whether a string contains a substring in JavaScript?
- How do I redirect to another webpage?
- How can I iterate over rows in a Pandas DataFrame?
- How do I convert a String to an int in Java?
- Does Python have a string 'contains' substring method?
- How do I check if a string contains a specific word?
Popular Tags
Trending Questions
- UIImageView Frame Doesn't Reflect Constraints
- Is it possible to use adb commands to click on a view by finding its ID?
- How to create a new web character symbol recognizable by html/javascript?
- Why isn't my CSS3 animation smooth in Google Chrome (but very smooth on other browsers)?
- Heap Gives Page Fault
- Connect ffmpeg to Visual Studio 2008
- Both Object- and ValueAnimator jumps when Duration is set above API LvL 24
- How to avoid default initialization of objects in std::vector?
- second argument of the command line arguments in a format other than char** argv or char* argv[]
- How to improve efficiency of algorithm which generates next lexicographic permutation?
- Navigating to the another actvity app getting crash in android
- How to read the particular message format in android and store in sqlite database?
- Resetting inventory status after order is cancelled
- Efficiently compute powers of X in SSE/AVX
- Insert into an external database using ajax and php : POST 500 (Internal Server Error)
Don't think of Anti-CSRF tokens as a mechanism implemented on individual endpoints/requests. Ideally, such a mechanism is baked in as a critical part of the framework you're developing in.
An Anti-CSRF may seem redundant on a logout link, which is not what worries me here. What worries me is designing a system which allows, or rather, does not enforce Anti-CSRF mechanisms.
In this context, the CSRF may seem benign. What happens however, when the logout link is vulnerable to say, XSS? Suddenly the Anti-CSRF token is no longer there to protect you.
Always practice Defence in Depth, in that your security should be wrapped in layers, Anti-CSRF being one of them.