On 2016-04-30 16:02, Timo Juhani Lindfors wrote:
Security tip: the chat seems to be vulnerable to CSRF attacks so any website can trick your browser into sending chat messages in your name (or "in your IP address").
Yes it does, this is a proof of concept, don't use it as is. Nonetheless, I thank you in general for reporting any findings of the sort.
IP adressed are not a good identifier anyway. On most occasions where I showed the program, the participants shared the same address. You would also expect the program to be save against accidental resubmission of the same message, so submission IDs would be a good idea. If you want to use this for anything productive, there should also be a surge protection.
Since the demo uses no authenticated sessions to protect, I've implemented a referer check. More reliable checks should be used in an environment wich maintains a real user session to track. This would exceed the scope of this demo.
BTW, this makes good further reading: https://www.owasp.org/index.php/OWASP_Top_Ten_Project