UPDATE: Cross-Site_Request_Forgery_Prevention_Cheat_Sheet #1885
Description
Misleading comment for signed double-submit-cookie pattern example
As per the above document, the validation of double-submit-cookie patterns has a comment which says "From form field, cookie, or header"
This is misleading and wrong. Because when server validates the csrf token, it should validate it against custom request header and not on auto sent browser cookies. Because attacker can trick the victim to visit the site which would open in browser. The browser automatically sends the token. Hence request always succeeds. Please correct this.
it should be
"Prefer header/param; fallback to cookie is INSECURE"
OWASP’s Intent vs. Wording
`
| OWASP Intent | Evidence |
|---|---|
| Double Submit = Cookie (delivery) + Explicit submission (proof of intent) | "The site must require that every transaction request... includes this random value as a hidden form value or inside the request header" |
| Cookie is for client to read (JS), not for server to trust | Cookie must be HttpOnly=false so JS can read and resubmit |
| Security relies on attacker’s inability to set matching value | "Since an attacker is unable to access the cookie value during a cross-site request, they cannot include a matching value..." |
So the security model is:
Cookie → client reads → explicitly submits in header/param
Server validates: submitted_value == expected
If server accepts cookie value directly, the "double" in "double submit" is meaningless.
label: ACK_WAITING