Skip to content

CSRF vulnerability

Requests to the admin panel do not verify the requesting site, which should always be the admin panel. Therefore a CSRF attack can be performed as follows:

  • Fool an admin to click a link to a page which makes a request to the admin panel.
  • This request will use the session token from the clicking user's browser and the request authentication will succeed.

We tested this by deleting rows from the database with Postman using a session token from the browser.

This should be guarded against by adding a CSRF token to the admin panel and validating it in the back end (Flask-WTF provides a ready-made solution for this).