dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Check host header instead of origin which might not be present #475

Browse Source
This commit is contained in:
Matthias Grundmann
2018-06-12 17:35:00 +02:00
committed by Nanne Baars
parent 1d2575a211
commit 3b9b695ef1
2 changed files with 4 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/plugin/CSRFFeedback.java
View File

@ -64,11 +64,11 @@ public class CSRFFeedback extends AssignmentEndpoint {
private boolean hostOrRefererDifferentHost(HttpServletRequest request) {
String referer = request.getHeader("referer");
String origin = request.getHeader("origin");
String host = request.getHeader("host");
if (referer != null) {
return !referer.contains(origin);
return !referer.contains(host);
} else {
return true; //this case referer is null or origin does not matter we cannot compare so we return true which should of course be false
return true;
}
}