Forms that use the GET method cause the XSRF token to be added to the URL

Type atlassian
Modified 2018-10-11T08:49:46


h5.Steps to Reproduce:

In Confluence, visit the "My Profile" page ({{<confluence-url>/users/viewuserprofile.action}})

Click "Edit Profile"

Note that no {{atl_token}} is present in the URL.

Click "Settings" ({{<confluence-url>/users/viewmysettings.action}})

Click "Edit"

Note that the {{atl_token}} value is present in the URL.

h5.Cause Some forms are rendered as having the method {{GET}} rather than the method {{POST}}

h5.Security implications It is only an exploitable security issue if an attacker can get somehow get a resource that includes the token in the URL to access one of their resources or similar such that the referer of the request contains the csrf token.