Uploaded image for project: 'Camunda Optimize'
  1. Camunda Optimize
  2. OPT-2216

User session expires after CSRF attack

    XMLWordPrintable

Details

    • Task
    • Resolution: Fixed
    • L3 - Default
    • 2.7.0
    • None
    • None
    • None

    Description

      // given

      • One tab with a valid Optimize user session
      • One tab with a link that contains a forged request against Optimize

      // when
      I execute a forged request against optimize

      // then
      my valid user session in Optimize expires

      // hint
      the forged request will be blocked, so no CSRF attack is possible
      the response header of the forged request contains the following header:

      Set-Cookie: X-Optimize-Authorization=;Version=1;Comment="delete cookie";Path=/;Max-Age=0;HttpOnly
Content-Length: 0

      the forged request is hidden in the following html doc

      <html><body>

<img src="http://127.0.0.1:8090/api/collection?orderBy=created" width="0" height="0">

</body></html>

      mgm-controller-panel

        This is the controller panel for Smart Panels app

        Attachments

          Activity

            People

              Unassigned Unassigned
              michael.schoettes Michael Schoettes
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Salesforce