The sesskey param is a CSRF token Error in Penetration testing
luisdev opened this issue · comments
What is the URL of the page?
https://moodledev.io/general/development/process/security/penetration-testing
What is the issue with this page?
In the "The sesskey param is a CSRF token" section the page says:
The moodle session is stored in a normal cookie, and the sesskey is actually instead a somewhat poorly named CSRF token param.
What does "is actually instead" mean? Please rewrite that sentence so that it makes sense.
Are you able to provide a patch for this?
No response
I tried to rewrite. Hope this helps.
Current:
Many penetration tests highlight the use of the ?sesskey=xxx HTTP param as an issue because it leaks to session id. The moodle session is stored in a normal cookie, and the sesskey is actually instead a somewhat poorly named CSRF token param.
My rewrite:
Many penetration tests highlight the use of the ?sesskey=xxx HTTP parameter as a security issue, claiming that it leaks the session ID. In actuality, Moodle's sesskey is a somewhat poorly-named CSRF token. The Moodle session ID is stored separately in a normal cookie.