Is it a risk to put the CSRF Token in a GET request URL?










0















TL;DR Why is it bad to put a CSRF Token in the GET request parameter?



Set up to the problem.



I have a search form on a SaaS app where the CSRF token is being injected for every form including the GET forms. This seems bad to me, but I can't articulate why and I'm being asked to.



All traffic is encrypted. So the GET parameters can't be wire sharked and scraped.



The worst scenario I can see here is some sort of social engineering where a malicious actor would ask someone to copy the URL and the user just handing it over without thinking it's dangerous.



Otherwise I can't really think of a scenario where a drive by hack is possible without the hacker going through the trouble of setting up a man in the middle scenario, and in which case they would probably be set up to do worse things without that CSRF Token.



what am I missing here?






security csrf csrf-protection owasp csrf-token







share|improve this question


























    0















    TL;DR Why is it bad to put a CSRF Token in the GET request parameter?



    Set up to the problem.



    I have a search form on a SaaS app where the CSRF token is being injected for every form including the GET forms. This seems bad to me, but I can't articulate why and I'm being asked to.



    All traffic is encrypted. So the GET parameters can't be wire sharked and scraped.



    The worst scenario I can see here is some sort of social engineering where a malicious actor would ask someone to copy the URL and the user just handing it over without thinking it's dangerous.



    Otherwise I can't really think of a scenario where a drive by hack is possible without the hacker going through the trouble of setting up a man in the middle scenario, and in which case they would probably be set up to do worse things without that CSRF Token.



    what am I missing here?






    security csrf csrf-protection owasp csrf-token







    share|improve this question
























      0












      0








      0








      TL;DR Why is it bad to put a CSRF Token in the GET request parameter?



      Set up to the problem.



      I have a search form on a SaaS app where the CSRF token is being injected for every form including the GET forms. This seems bad to me, but I can't articulate why and I'm being asked to.



      All traffic is encrypted. So the GET parameters can't be wire sharked and scraped.



      The worst scenario I can see here is some sort of social engineering where a malicious actor would ask someone to copy the URL and the user just handing it over without thinking it's dangerous.



      Otherwise I can't really think of a scenario where a drive by hack is possible without the hacker going through the trouble of setting up a man in the middle scenario, and in which case they would probably be set up to do worse things without that CSRF Token.



      what am I missing here?






      security csrf csrf-protection owasp csrf-token







      share|improve this question














      TL;DR Why is it bad to put a CSRF Token in the GET request parameter?



      Set up to the problem.



      I have a search form on a SaaS app where the CSRF token is being injected for every form including the GET forms. This seems bad to me, but I can't articulate why and I'm being asked to.



      All traffic is encrypted. So the GET parameters can't be wire sharked and scraped.



      The worst scenario I can see here is some sort of social engineering where a malicious actor would ask someone to copy the URL and the user just handing it over without thinking it's dangerous.



      Otherwise I can't really think of a scenario where a drive by hack is possible without the hacker going through the trouble of setting up a man in the middle scenario, and in which case they would probably be set up to do worse things without that CSRF Token.



      what am I missing here?






      security csrf csrf-protection owasp csrf-token




      security csrf csrf-protection owasp csrf-token






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Nov 15 '18 at 19:02









      ZombiesplatZombiesplat

      823615




      823615






















          1 Answer
          1






          active

          oldest

          votes


















          0














          Have a look at the OWASP CSRF Prevention Cheat Sheet and specially the section about Disclosure of Token in URL






          share|improve this answer






















            Your Answer






            StackExchange.ifUsing("editor", function ()
            StackExchange.using("externalEditor", function ()
            StackExchange.using("snippets", function ()
            StackExchange.snippets.init();
            );
            );
            , "code-snippets");

            StackExchange.ready(function()
            var channelOptions =
            tags: "".split(" "),
            id: "1"
            ;
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function()
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled)
            StackExchange.using("snippets", function()
            createEditor();
            );

            else
            createEditor();

            );

            function createEditor()
            StackExchange.prepareEditor(
            heartbeatType: 'answer',
            autoActivateHeartbeat: false,
            convertImagesToLinks: true,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: 10,
            bindNavPrevention: true,
            postfix: "",
            imageUploader:
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            ,
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            );



            );













            draft saved

            draft discarded


















            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53326277%2fis-it-a-risk-to-put-the-csrf-token-in-a-get-request-url%23new-answer', 'question_page');

            );

            Post as a guest















            Required, but never shown

























            1 Answer
            1






            active

            oldest

            votes








            1 Answer
            1






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes









            0














            Have a look at the OWASP CSRF Prevention Cheat Sheet and specially the section about Disclosure of Token in URL






            share|improve this answer



























              0














              Have a look at the OWASP CSRF Prevention Cheat Sheet and specially the section about Disclosure of Token in URL






              share|improve this answer

























                0












                0








                0







                Have a look at the OWASP CSRF Prevention Cheat Sheet and specially the section about Disclosure of Token in URL






                share|improve this answer













                Have a look at the OWASP CSRF Prevention Cheat Sheet and specially the section about Disclosure of Token in URL







                share|improve this answer












                share|improve this answer



                share|improve this answer










                answered Nov 16 '18 at 10:46









                SPointSPoint

                1527




                1527





























                    draft saved

                    draft discarded
















































                    Thanks for contributing an answer to Stack Overflow!


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid


                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.

                    To learn more, see our tips on writing great answers.




                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function ()
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53326277%2fis-it-a-risk-to-put-the-csrf-token-in-a-get-request-url%23new-answer', 'question_page');

                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown







                    -

                    這個網誌中的熱門文章

                    Barbados

                    圖片
                    For other uses, see Barbados (disambiguation). Not to be confused with Barbuda. Coordinates: 13°10′N 59°33′W  /  13.167°N 59.550°W  / 13.167; -59.550 Barbados Flag Coat of arms Motto:  "Pride and Industry" Anthem:  In Plenty and In Time of Need Capital and largest city Bridgetown 13°06′N 59°37′W  /  13.100°N 59.617°W  / 13.100; -59.617 Official languages English Recognised regional languages Bajan Creole Ethnic groups (est. 2010 [1] ) 92.4% black 3.1% multiracial 2.7% white 1.3% East Indian 0.5% other/unspecified Religion 75.6% Christian 2.5% other 20.6% none 1.2% unspecified [1] Demonym(s) Barbadian Bajan (colloquial) Government Unitary parliamentary constitutional monarchy • Monarch Elizabeth II •  Governor-General Dame Sandra Mason • Prime Minister Mia Mottley Legislature Parliament • Upper house Senate • Lower house House of Assembly Independence • From the United Kingdom 30 November 1966 Area • Total 439 km 2 (169 sq mi) (183rd) • Water (%) Negligib
                    閱讀完整內容

                    How to read a connectionString WITH PROVIDER in .NET Core?

                    圖片
                    6 I added .AddJsonFile("Connections.json", optional: true, reloadOnChange: true) in public Startup(IHostingEnvironment env) Connections.json contains: "ConnectionStrings": "DefaultConnection": "Server=(localdb)\mssqllocaldb;Database=DATABASE;Trusted_Connection=True;MultipleActiveResultSets=true", "COR-W81-101": "Data Source=DATASOURCE;Initial Catalog=P61_CAFM_Basic;User Id=USERID;Password=PASSWORD;Persist Security Info=False;MultipleActiveResultSets=False;Packet Size=4096;", "COR-W81-100": "Data Source=DATASOURCE;Initial Catalog=Post_PS;User Id=USERID;Password=PASSWORD;Persist Security Info=False;MultipleActiveResultSets=False;Packet Size=4096;", "MSEDGEWIN10": "Data Source=DATASOURCE; Initial Catalog=COR_Basic; Persist Security Info=False;Integrated Security=true;MultipleActiveResultSets=False;Packet Size=4096;Application Name="COR_Basic"", "server&qu
                    閱讀完整內容

                    Node.js Script on GitHub Pages or Amazon S3

                    圖片
                    0 I'm wondering if I can run a Node.js script in my Jekyll page from GitHub Pages or Amazon S3? I think it can't run on GitHub Pages since it doesn't support server side code. Not too sure. The code is below: var Airtable = require('airtable'); var base = new Airtable(apiKey: 'YOUR_API_KEY').base('appAnZVyYqusNPV5Q'); base('Invitee list').select( // Selecting the first 3 records in Complete list: maxRecords: 3, view: "Complete list" ).eachPage(function page(records, fetchNextPage) // This function (`page`) will get called for each page of records. records.forEach(function(record) console.log('Retrieved', record.get('Email')); ); // To fetch the next page of records, call `fetchNextPage`. // If there are more records, `page` will get called again. // If there are no more records, `done` will get called. fetchNextPage(); , function done(err) if (err) console.error(err); return; ); node.js
                    閱讀完整內容