Play Framework Security Advisory

CSRF Bypass

Date

4 Mar 2016

Description

A vulnerability has been found in Play’s CSRF support.

The Chrome Beacon extension allows non preflighted, non form cross origin POST requests, which invalidates the Play CSRF filters assumption that only form POST requests are subject to CSRF attacks.

Impact

Play’s CSRF check can be bypassed when the victims browser is Chrome.

Affected Versions

Workarounds

Set the following configuration in application.conf:

play.filters.csrf.contentType {
  blackList = []
  whiteList = ["none"]
}

Note that this will, for example, cause all POST application/json requests to need a CSRF check.

Fixes

Upgrade to Play 2.5.0. Details on how Play 2.5 has been modified to provide better CSRF protection and what needs to be done to upgrade can be found here.

Acknowledgements

Credit for finding this vulnerability goes to David Black from Atlassian.