BURP scan: Session token in URL and Short Anti-CSRF token value detected

BURP scan: Session token in URL and Short Anti-CSRF token value detected

by Rod Spears -
Number of replies: 5

Moodle 3.7.1+ (Build: 20190801)

These medium priority items were reported when our university completed a BURP scan yesterday.

We are expected to re-mediate these items.

1. Do they need remediation and if not, why?

2. Can they be remediated without making changes to core moodle?

3. Where these items reported because the BURP Suite Professional scanner does not understand how Moodle works?

Average of ratings: Useful (1)
In reply to Rod Spears

Re: BURP scan: Session token in URL and Short Anti-CSRF token value detected

by Rod Spears -
More details from the report:
Session token in URL
Sensitive information within URLs may be logged in various locations, including the user's browser, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. They may be disclosed to third parties via the Referer header when any off-site links are followed. Placing session tokens into the URL increases the risk that they will be captured by an attacker.

Short Anti-CSRF token value detected
The request appears to contain an anti-CSRF token with a value that is less than 16 characters long. An attacker may be able to guess this token's value.


Average of ratings: -
In reply to Rod Spears

Re: BURP scan: Session token in URL and Short Anti-CSRF token value detected

by Marcus Green -
Picture of Core developers Picture of Particularly helpful Moodlers Picture of Plugin developers Picture of Testers
Note from
https://docs.moodle.org/dev/Releases#Moodle_3.7
Bug fixes for security issues in 3.7.x will end 9 November 2020 (18 months).
You should be planning on upgrading as soon as possible.
Average of ratings: -
In reply to Marcus Green

Re: BURP scan: Session token in URL and Short Anti-CSRF token value detected

by Rod Spears -
Marcus, thanks for sharing the information about Moodle 3.7. However, it doesn't sound like an upgrade will address the 2 issues. Correct?
Average of ratings: -
In reply to Rod Spears

Re: BURP scan: Session token in URL and Short Anti-CSRF token value detected

by Dan Marsden -
Picture of Core developers Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers Picture of Plugins guardians Picture of Testers Picture of Translators
that first one is rubbish.. Moodle doesn't pass the "session token" in the url. (unless you have some custom 3rd party code that is doing something weird.)

but that 2nd one is interesting because typically that first issue comes from automated systems that see our csrf token and assume it's a session token.
Moodle's csrf token is hard-coded to a 10character random string. There's probably room for an improvement issue in the tracker to look at the complexity of this, but it's probably something we'd class as an improvement rather than a security issue.
you can also bump this up yourself by changing this line:
https://github.com/moodle/moodle/blob/MOODLE_35_STABLE/lib/sessionlib.php#L45

change random_string(10) to random_string(20) (and then test to make sure nothing weird happens.)
Average of ratings: Useful (6)
In reply to Dan Marsden

Re: BURP scan: Session token in URL and Short Anti-CSRF token value detected

by Rod Spears -
Thanks for the quick reply Dan. I have passed this on to our security team and shared it with our developer, and thanks for sharing the details about the change that we could make.
Average of ratings: -