CSRF protection bypassed.

[ehsahil]

Hi,

I have previously submitted this issue to Omniauth via github, Yesterday they told me to submit it to you.

Here is the original content of the issue, Please let me know, if you need to know anything on this issue.

I found a CSRF issue with omniauth,Actually there is No Validation of state token done during the execution of the Oauth-callback.

Following the request link for login into forum after the authorization from auth-client getpebble.com

https://forums.host.com/auth/oauth2_basic/callback?code=261b8f5d8a998d19124107b8dd1d74d6f0088168577d02576325f0cb3b9dbd14&state=75f3a680522122b3683d6984000e4fd3310f41f8d13bf857

See, Above endpoint is protected from the CSRF issue which a verification token named as "State".

But,.

The application is not properly validating the presence of the state token during the execution.

This protection can be easily bypassed by just deleting the state token from the Request to perform CSRF exploitation,

Bypass for this CSRF protection will look like. [With-out state token]

https://forums.host.com/auth/oauth2_basic/callback?code=261b8f5d8a998d19124107b8dd1d74d6f0088168577d02576325f0cb3b9dbd14&state=

Please fix this issue by validating the state token properly before executing the request.

Please also let me know anything you need to know about this issue.

Thanks
Sahil Saif

[gencer]

@bewithsahilsaif When I pause on callback event, If I change state code or remove as you showed, it shows CSRF error. No matter what I do, it always throws a CSRF error. When I re-add correct state code, it just login and works perfectly.

Is this issue still persist? If so, Where is came from? I would like to fix or have a look on this with my own repo clone.

Note: I do not use third party authentications such as facebook or google. I use rails-sso-provider and rails-sso-client repos for own auth.