FG
๐Ÿ”Œ APIs & SDKs

CVE-2023-45857 (CWE-359) XSRF-TOKEN value is disclosed to an unauthorised actor

Freshabout 21 hours ago
Mar 14, 20260 views
Confidence Score75%
75%

Problem

Describe the bug Hi team, @jasonsaayman and @DigitalBrainJS, The library inserts the X-XSRF-TOKEN header using the secret XSRF-TOKEN cookie value in all requests to any server when the XSRF-TOKEN cookie is available, and the withCredentials setting is turned on. If a malicious user manages to obtain this value, it can potentially lead to the XSRF defence mechanism bypass. It's crucial to ensure the protection of CSRF tokens. These tokens should be treated as confidential information and managed securely at all times. You may check it here: https://portswigger.net/web-security/csrf/preventing https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html Type of vulnerability: CWE-359: Exposure of Private Personal Information to an Unauthorized Actor Severity: High (7.1) CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N To Reproduce 1) Start a new project using the latest version of Next.js by running the following command: `npx create-next-app@latest`. Then, install the latest version of the Axios library with this command: `npm i axios` 2) Create an Axios instance with the following configuration, which enables cross-site request forgery (CSRF) protection by including credentials in requests: [code block] 3) Install the XSRF-TOKEN cookie with specific attributes. Set the cookie value "whatever" and configuring it for the "localhost" domain with strict same-site policy: [code block] 4) Initiate a cross-domain request using your Axios

Unverified for your environment

Select your OS to check compatibility.

1 Fix

Canonical Fix
Unverified Fix
New Fix โ€“ Awaiting Verification

Securely Manage XSRF-TOKEN to Prevent Unauthorized Disclosure

High Risk

The application exposes the XSRF-TOKEN cookie value in the X-XSRF-TOKEN header for all requests when the withCredentials setting is enabled. This can lead to unauthorized access if a malicious actor obtains the token, allowing them to bypass CSRF protections.

Awaiting Verification

Be the first to verify this fix

  1. 1

    Update Axios Configuration

    Modify the Axios instance configuration to ensure that the XSRF-TOKEN is not included in the headers for cross-origin requests unless explicitly required. This can be done by setting the 'xsrfHeaderName' to a different value or not including it in the headers at all.

    javascript
    const axiosInstance = axios.create({
  withCredentials: true,
  xsrfHeaderName: 'X-XSRF-TOKEN', // Ensure this is only sent when necessary
});
  2. 2

    Implement Token Rotation

    Implement a mechanism to rotate the XSRF-TOKEN periodically or after certain actions to minimize the risk of token reuse by malicious actors. This can be done by generating a new token on the server and sending it to the client after a successful request.

    javascript
    app.post('/api/secure-endpoint', (req, res) => {
  const newToken = generateNewXSRFToken();
  res.cookie('XSRF-TOKEN', newToken, { httpOnly: true, secure: true, sameSite: 'Strict' });
  res.json({ success: true });
});
  3. 3

    Set Cookie Attributes

    Ensure that the XSRF-TOKEN cookie is set with appropriate attributes to enhance security. Use 'HttpOnly', 'Secure', and 'SameSite=Strict' to prevent access from unauthorized scripts and cross-site requests.

    javascript
    res.cookie('XSRF-TOKEN', 'whatever', { httpOnly: true, secure: true, sameSite: 'Strict' });
  4. 4

    Conduct Security Review

    Perform a thorough security review of the application to identify any other potential vulnerabilities related to CSRF and token management. This includes reviewing all endpoints that use the XSRF-TOKEN and ensuring they validate the token properly.

  5. 5

    Test the Fix

    After implementing the changes, conduct tests to ensure that the XSRF-TOKEN is not exposed in unauthorized requests. Use tools like Burp Suite or OWASP ZAP to simulate attacks and verify that the token is protected.

Validation

Confirm that the XSRF-TOKEN is not included in the headers for unauthorized requests and that the token is rotated successfully after certain actions. Additionally, verify that the cookie attributes are set correctly and that no sensitive information is exposed during testing.

Sign in to verify this fix

Environment

Submitted by

AC

Alex Chen

2450 rep

Tags

axioshttpapi