The sesskey param is a CSRF token Error in Penetration testing

Question

The sesskey param is a CSRF token Error in Penetration testing

luisdev opened this issue 2 years ago · comments

Luis de Vasconcelos commented 2 years ago

What is the URL of the page?

https://moodledev.io/general/development/process/security/penetration-testing

What is the issue with this page?

In the "The sesskey param is a CSRF token" section the page says:

The moodle session is stored in a normal cookie, and the sesskey is actually instead a somewhat poorly named CSRF token param.

What does "is actually instead" mean? Please rewrite that sentence so that it makes sense.

Are you able to provide a patch for this?

No response

Jonathan Champ · Answer 1 · Fri Dec 30 2022 23:15:06 GMT+0800 (China Standard Time)

I tried to rewrite. Hope this helps.

Current:

Many penetration tests highlight the use of the ?sesskey=xxx HTTP param as an issue because it leaks to session id. The moodle session is stored in a normal cookie, and the sesskey is actually instead a somewhat poorly named CSRF token param.

My rewrite:

Many penetration tests highlight the use of the ?sesskey=xxx HTTP parameter as a security issue, claiming that it leaks the session ID. In actuality, Moodle's sesskey is a somewhat poorly-named CSRF token. The Moodle session ID is stored separately in a normal cookie.