Forms that use the GET method cause the XSRF token to be added to the URL

2016-05-31T03:21:00
ID ATLASSIAN:CONFSERVER-42736
Type atlassian
Reporter dnorton@atlassian.com
Modified 2018-10-11T08:49:46

Description

h5.Steps to Reproduce:

In Confluence, visit the "My Profile" page ({{<confluence-url>/users/viewuserprofile.action}})

Click "Edit Profile"

Note that no {{atl_token}} is present in the URL.

Click "Settings" ({{<confluence-url>/users/viewmysettings.action}})

Click "Edit"

Note that the {{atl_token}} value is present in the URL.

h5.Cause Some forms are rendered as having the method {{GET}} rather than the method {{POST}}

h5.Security implications It is only an exploitable security issue if an attacker can get somehow get a resource that includes the token in the URL to access one of their resources or similar such that the referer of the request contains the csrf token.