Skip to content

REST API is vulnerable to CSRF attacs from the webapp

Although the LEAP web application’s REST API is supposed to be on a separate subdomain, users can still interact with it on the same domain as the web application. This behavior leads to Cross-­‐Site Request Forgery vulnerabilities in the REST API for two reasons.

  • The web application and REST API both identify users with the _session_id cookie. Web browsers will send this cookie to the REST API when it is accessed on the same domain as the web app.
  • The REST API does not require a CSRF token to validate requests. Therefore, an attacker could forge requests from arbitrary domains to the REST API when it is hosted on the same domain as the web app. Currently, the REST API is somewhat limited and only exposes functionality for establishing and managing sessions, as well as creating and updating users. The most valuable REST API functionality, from an attacker’s point of view, is the service for updating users, as it allows an authenticated user to change any value associated with the user in the database. Leveraging this vulnerability, it is possible to update the user via a CSRF exploit against the REST API as long as the attacker knows the victim’s user ID.

Update the web server’s configuration so that it is not possible to access the REST API on the same domain as the web app.

(from redmine: created on 2013-08-21, closed on 2014-03-18)