Confusion about CSRF URL querystring timestamp

(repository) #1

Dear Discourse Team,

Before logging in and sending a POST request to do so, a GET request is sent to retrieve and use a CSRF token.

Demo?=1465847188888 is an example using the test server.
Currently the token, as depicted by the '
’ parameter, is being generated using Linux Epoch time.

This means that effectively the CSRF token login authentication can be bypassed by converting the current time that your browser visits a Discourse login page (and through trial and error of seeing how long it takes to submit the login form) in the GMT timezone to epoch time.

We believe that this could be an issue as it could allow an attacker to bruteforce our forum users, or perhaps check another user’s inbox (in theory, I may be wrong as I haven’t had the time to write up a script just yet - I’m busy with exams).

(Régis Hanol) #2

That parameter has nothing to do with security. It’s here to make sure the query isn’t cached so that whenever the client requests the CSRF token, we’re sure it’s not a cached one.

(repository) #3

Ah I see

I could of sworn I read some page source code which generated the token using epoch, I may be wrong though.

Thanks for the clear up :slight_smile: