Gorilla CSRF Cross-Site Request Forgery Vulnerability in Same Top-Level Domain

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the Gorilla CSRF package for Go web applications, affecting versions prior to 1.7.2. The vulnerability arises because the package does not validate the Origin header against an allowlist and only checks the Referer header for cross-origin requests when it assumes the request is over TLS. This assumption is flawed, as the URL scheme is not populated for server requests, leaving a gap in validation. Consequently, an attacker with Cross-Site Scripting (XSS) access on a subdomain or top-level domain can exploit this to perform authenticated form submissions on targets sharing the same top-level domain.

Impact

Exploitation allows for authenticated CSRF attacks on targets protected by Gorilla CSRF, within the same top-level domain.

Reproduction

To reproduce this vulnerability, first set up a target origin on a subdomain or top-level domain with Gorilla CSRF protection enabled, served over TLS. Then, create an attacker origin on a different subdomain, also served over TLS. After gaining XSS access on the attacker origin, exfiltrate the CSRF token and cookie from the target origin. Set the exfiltrated cookie on the attacker origin with a domain matching the target's top-level domain and a path that includes the form submission endpoint. Finally, submit a form from the attacker origin to the target origin, including the exfiltrated CSRF token. The submission will be accepted, demonstrating the vulnerability.

Remediation

Users can upgrade to Gorilla CSRF version 1.7.2 or later, where this vulnerability is fixed.