Check host header instead of origin which might not be present #475

2018-06-12 17:35:00 +02:00 · 2018-06-12 17:35:00 +02:00 · 3b9b695ef1
commit 3b9b695ef1
parent 1d2575a211
2 changed files with 4 additions and 4 deletions
--- a/webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/plugin/CSRFFeedback.java
+++ b/webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/plugin/CSRFFeedback.java
@ -64,11 +64,11 @@ public class CSRFFeedback extends AssignmentEndpoint {
    private boolean hostOrRefererDifferentHost(HttpServletRequest request) {
        String referer = request.getHeader("referer");
-        String origin = request.getHeader("origin");
+        String host = request.getHeader("host");
        if (referer != null) {
-            return !referer.contains(origin);
+            return !referer.contains(host);
        } else {
-            return true; //this case referer is null or origin does not matter we cannot compare so we return true which should of course be false
+            return true;
        }
    }
--- a/webgoat-lessons/csrf/src/test/java/org/owasp/webgoat/plugin/CSRFFeedbackTest.java
+++ b/webgoat-lessons/csrf/src/test/java/org/owasp/webgoat/plugin/CSRFFeedbackTest.java
@ -46,7 +46,7 @@ public class CSRFFeedbackTest extends LessonTest {
        mockMvc.perform(post("/csrf/feedback/message")
                .contentType(MediaType.TEXT_PLAIN)
                .cookie(new Cookie("JSESSIONID", "test"))
-                .header("origin", "localhost:8080")
+                .header("host", "localhost:8080")
                .header("referer", "webgoat.org")
                .content("{\"name\": \"Test\", \"email\": \"test1233@dfssdf.de\", \"subject\": \"service\", \"message\":\"dsaffd\"}"))
                .andExpect(jsonPath("lessonCompleted", is(true)))