CSRF flaw in csurf NPM package aimed at protecting against the same flaws


Cross-site request forgery (CSRF) weakness in the open source csurf software was discovered by pen testers looking for low-severity bugs. When a client asked them to look through a penetration testing report, researchers from the UK-based cybersecurity business Fortbridge were summoned.

A CSRF cookie lacking a secure flag was one vulnerability raised. The team started digging after discovering something intriguing. Forbridge cloud application security consultant Adrian Tiron wrote about this in a blog post on August 28. Read More…