Forem: Yuriy Safronnynov The latest articles on Forem by Yuriy Safronnynov (@safron). https://forem.com/safron https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3855988%2F35f6f1ac-5cd1-4506-9c2a-cdac3ae2ac0b.jpg Forem: Yuriy Safronnynov https://forem.com/safron en Sensitive Data Exposure - The Bug That Looks Like a Feature Working Correctly Yuriy Safronnynov Mon, 20 Apr 2026 18:48:57 +0000 https://forem.com/safron/sensitive-data-exposure-the-bug-that-looks-like-a-feature-working-correctly-1djh https://forem.com/safron/sensitive-data-exposure-the-bug-that-looks-like-a-feature-working-correctly-1djh <p>The API response came back 200. The data was correct. The test passed.</p> <p>Nobody noticed the response body also contained the user's hashed <br> password, their internal account ID, a debug flag set to true, and a <br> field called <code>admin_notes</code> that was never meant to leave the server.</p> <p>Sensitive Data Exposure does not look like an attack. It looks like a <br> feature working correctly.</p> <h2> TL;DR </h2> <ul> <li>Sensitive Data Exposure happens when an application transmits, stores, or returns protected data without adequate controls. No exploit required. The data is simply available.</li> <li>CVE-2024-25124 in Gofiber Fiber allowed any origin to make credentialed requests due to a wildcard CORS misconfiguration. CVSS 9.4 Critical.</li> <li>Your suite checks that the right user gets the right data. It almost never checks what headers protect that data, what leaks in error responses, or what extra fields slip through the serializer.</li> <li>Three attack surfaces: data in transit (TLS, CORS headers), data at rest (logs, error messages), data in API responses (over-fetching, debug fields left in serializers).</li> <li>AI tools generate functional tests. They never generate a test that fails when a response contains a field it should not.</li> </ul> <h2> What it is </h2> <p>Sensitive Data Exposure covers a wide class of failures: data transmitted over unencrypted connections, credentials stored in plaintext, PII returned in API responses, stack traces sent to clients in error messages, secrets committed to logs, and configuration details exposed through misconfigured headers.</p> <p>The thread connecting all of them: the data should be protected and it is not.</p> <p>Developers introduce this in several ways, none of them malicious. A serializer that returns the full database model instead of a curated DTO. An error handler that forwards exception details to the client<br> for debugging convenience and never gets hardened before production. A CORS configuration set to permissive defaults during development and shipped as-is.</p> <p>In code review this is nearly impossible to spot without a specific checklist. The serializer returns data. The error handler returns a message. The CORS header is present. Everything looks like it is working.</p> <p>The question nobody asked: <strong>should this data actually be leaving the system in this form?</strong></p> <h2> Real world damage </h2> <p><strong>CVE-2024-25124 · Gofiber Fiber · February 2024 · CVSS 9.4 (Critical)</strong></p> <p>In February 2024, a critical vulnerability was disclosed in the CORS middleware of Gofiber Fiber, a widely used Go web framework. The flaw allowed developers to configure the middleware with a wildcard origin (<code>Access-Control-Allow-Origin: *</code>) while simultaneously enabling <code>Access-Control-Allow-Credentials: true</code>.</p> <p>This combination is explicitly prohibited by the CORS specification. It allows any website on the internet to make credentialed requests to the affected application and read the response. Sensitive user data, session tokens, and authenticated API responses could be accessed by attacker-controlled pages without the victim knowing.</p> <p>No credentials required from the attacker. No exploit chain. Just a misconfiguration the framework permitted and many developers shipped without realizing.</p> <blockquote> <p>Source: [GitHub Advisory GHSA-fmg4-x8pw-hjhg (<a href="https://github.com/advisories/GHSA-fmg4-x8pw-hjhg" rel="noopener noreferrer">https://github.com/advisories/GHSA-fmg4-x8pw-hjhg</a>) <br> and <a href="https://nvd.nist.gov/vuln/detail/CVE-2024-25124" rel="noopener noreferrer">NVD CVE-2024-25124</a>. <br> Affected versions: Fiber prior to 2.52.1. Fixed in 2.52.1.</p> </blockquote> <p>A QA engineer running response header validation tests against any authenticated endpoint would have caught this. The test is not complex: send a credentialed cross-origin request, assert that <code>Access-Control-Allow-Origin</code> does not contain a wildcard. That test did not exist. The misconfiguration was in the framework default. Teams inherited it without knowing.</p> <h2> The invisible bug problem </h2> <p>Test suites validate that data is correct. Not that data is <strong>minimal</strong>.</p> <p>When you assert that <code>GET /users/123</code> returns the right name and email, you are not asserting that it does not also contain a password hash, an internal flag, or a field your serializer included because nobody removed it.</p> <p>Happy-path tests confirm the presence of expected data. Nobody writes a test that fails when <strong>unexpected</strong> data appears. That gap is where sensitive data exposure lives — entirely invisible to a suite that is otherwise fully green.</p> <p>Every response has two contracts:</p> <ol> <li>What it <strong>must</strong> contain</li> <li>What it <strong>must not</strong> contain</li> </ol> <p>Your suite almost certainly verifies the first. It needs to verify the second.</p> <h2> How QA engineers catch it </h2> <h3> PyTest </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">pytest</span> <span class="kn">import</span> <span class="n">requests</span> <span class="kn">import</span> <span class="n">jsonschema</span> <span class="n">BASE_URL</span> <span class="o">=</span> <span class="sh">"</span><span class="s">https://your-app.com</span><span class="sh">"</span> <span class="n">FORBIDDEN_FIELDS</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">"</span><span class="s">password</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">password_hash</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">token</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">secret</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">api_key</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">internal_id</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">debug</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">admin_notes</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">stack</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">trace</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">last_login_ip</span><span class="sh">"</span> <span class="p">}</span> <span class="n">ALLOWED_USER_FIELDS</span> <span class="o">=</span> <span class="p">{</span><span class="sh">"</span><span class="s">id</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">name</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">email</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">created_at</span><span class="sh">"</span><span class="p">}</span> <span class="nd">@pytest.fixture</span> <span class="k">def</span> <span class="nf">auth_session</span><span class="p">():</span> <span class="n">session</span> <span class="o">=</span> <span class="n">requests</span><span class="p">.</span><span class="nc">Session</span><span class="p">()</span> <span class="n">session</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">BASE_URL</span><span class="si">}</span><span class="s">/login</span><span class="sh">"</span><span class="p">,</span> <span class="n">json</span><span class="o">=</span><span class="p">{</span> <span class="sh">"</span><span class="s">username</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">testuser</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">password</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">test_password</span><span class="sh">"</span> <span class="p">})</span> <span class="k">return</span> <span class="n">session</span> <span class="k">def</span> <span class="nf">test_user_response_contains_no_forbidden_fields</span><span class="p">(</span><span class="n">auth_session</span><span class="p">):</span> <span class="c1"># CVE-2024-25124 pattern: assert what must NOT be in the response </span> <span class="n">response</span> <span class="o">=</span> <span class="n">auth_session</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">BASE_URL</span><span class="si">}</span><span class="s">/users/123</span><span class="sh">"</span><span class="p">)</span> <span class="n">body</span> <span class="o">=</span> <span class="n">response</span><span class="p">.</span><span class="nf">json</span><span class="p">()</span> <span class="n">exposed</span> <span class="o">=</span> <span class="n">FORBIDDEN_FIELDS</span><span class="p">.</span><span class="nf">intersection</span><span class="p">(</span><span class="n">body</span><span class="p">.</span><span class="nf">keys</span><span class="p">())</span> <span class="k">assert</span> <span class="ow">not</span> <span class="n">exposed</span><span class="p">,</span> <span class="sa">f</span><span class="sh">"</span><span class="s">Sensitive fields exposed in response: </span><span class="si">{</span><span class="n">exposed</span><span class="si">}</span><span class="sh">"</span> <span class="k">def</span> <span class="nf">test_user_response_schema_allowlist</span><span class="p">(</span><span class="n">auth_session</span><span class="p">):</span> <span class="c1"># any field outside the allowlist is a contract violation </span> <span class="n">response</span> <span class="o">=</span> <span class="n">auth_session</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">BASE_URL</span><span class="si">}</span><span class="s">/users/123</span><span class="sh">"</span><span class="p">)</span> <span class="n">body</span> <span class="o">=</span> <span class="n">response</span><span class="p">.</span><span class="nf">json</span><span class="p">()</span> <span class="n">unexpected</span> <span class="o">=</span> <span class="nf">set</span><span class="p">(</span><span class="n">body</span><span class="p">.</span><span class="nf">keys</span><span class="p">())</span> <span class="o">-</span> <span class="n">ALLOWED_USER_FIELDS</span> <span class="k">assert</span> <span class="ow">not</span> <span class="n">unexpected</span><span class="p">,</span> <span class="sa">f</span><span class="sh">"</span><span class="s">Unexpected fields in response: </span><span class="si">{</span><span class="n">unexpected</span><span class="si">}</span><span class="sh">"</span> <span class="k">def</span> <span class="nf">test_error_response_contains_no_stack_trace</span><span class="p">(</span><span class="n">auth_session</span><span class="p">):</span> <span class="c1"># deliberately trigger a server error </span> <span class="n">response</span> <span class="o">=</span> <span class="n">auth_session</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">BASE_URL</span><span class="si">}</span><span class="s">/users/invalid-id-trigger-500</span><span class="sh">"</span><span class="p">)</span> <span class="n">body</span> <span class="o">=</span> <span class="n">response</span><span class="p">.</span><span class="n">text</span> <span class="n">forbidden_strings</span> <span class="o">=</span> <span class="p">[</span><span class="sh">"</span><span class="s">Traceback</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">at line</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">Exception</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">File </span><span class="se">\"</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">django</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">sqlalchemy</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">psycopg2</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">pymongo</span><span class="sh">"</span><span class="p">]</span> <span class="k">for</span> <span class="n">s</span> <span class="ow">in</span> <span class="n">forbidden_strings</span><span class="p">:</span> <span class="k">assert</span> <span class="n">s</span> <span class="ow">not</span> <span class="ow">in</span> <span class="n">body</span><span class="p">,</span> <span class="sa">f</span><span class="sh">"</span><span class="s">Stack trace marker </span><span class="sh">'</span><span class="si">{</span><span class="n">s</span><span class="si">}</span><span class="sh">'</span><span class="s"> found in error response</span><span class="sh">"</span> <span class="k">def</span> <span class="nf">test_cors_no_wildcard_on_authenticated_endpoint</span><span class="p">(</span><span class="n">auth_session</span><span class="p">):</span> <span class="c1"># CVE-2024-25124: wildcard + credentials = any origin reads response </span> <span class="n">response</span> <span class="o">=</span> <span class="n">auth_session</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span> <span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">BASE_URL</span><span class="si">}</span><span class="s">/users/123</span><span class="sh">"</span><span class="p">,</span> <span class="n">headers</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">Origin</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">https://attacker.com</span><span class="sh">"</span><span class="p">}</span> <span class="p">)</span> <span class="n">acao</span> <span class="o">=</span> <span class="n">response</span><span class="p">.</span><span class="n">headers</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">Access-Control-Allow-Origin</span><span class="sh">"</span><span class="p">,</span> <span class="sh">""</span><span class="p">)</span> <span class="k">assert</span> <span class="n">acao</span> <span class="o">!=</span> <span class="sh">"</span><span class="s">*</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">Wildcard CORS on authenticated endpoint exposes data</span><span class="sh">"</span> <span class="k">def</span> <span class="nf">test_security_headers_present</span><span class="p">(</span><span class="n">auth_session</span><span class="p">):</span> <span class="n">response</span> <span class="o">=</span> <span class="n">auth_session</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">BASE_URL</span><span class="si">}</span><span class="s">/users/123</span><span class="sh">"</span><span class="p">)</span> <span class="k">assert</span> <span class="sh">"</span><span class="s">X-Powered-By</span><span class="sh">"</span> <span class="ow">not</span> <span class="ow">in</span> <span class="n">response</span><span class="p">.</span><span class="n">headers</span><span class="p">,</span> \ <span class="sh">"</span><span class="s">X-Powered-By header discloses server technology</span><span class="sh">"</span> <span class="k">assert</span> <span class="n">response</span><span class="p">.</span><span class="n">headers</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">X-Content-Type-Options</span><span class="sh">"</span><span class="p">)</span> <span class="o">==</span> <span class="sh">"</span><span class="s">nosniff</span><span class="sh">"</span> <span class="k">assert</span> <span class="sh">"</span><span class="s">Secure</span><span class="sh">"</span> <span class="ow">in</span> <span class="n">response</span><span class="p">.</span><span class="n">headers</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">Set-Cookie</span><span class="sh">"</span><span class="p">,</span> <span class="sh">""</span><span class="p">),</span> \ <span class="sh">"</span><span class="s">Session cookie missing Secure flag</span><span class="sh">"</span> <span class="k">assert</span> <span class="sh">"</span><span class="s">HttpOnly</span><span class="sh">"</span> <span class="ow">in</span> <span class="n">response</span><span class="p">.</span><span class="n">headers</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">Set-Cookie</span><span class="sh">"</span><span class="p">,</span> <span class="sh">""</span><span class="p">),</span> \ <span class="sh">"</span><span class="s">Session cookie missing HttpOnly flag</span><span class="sh">"</span> </code></pre> </div> <h3> Robot Framework </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>*** Settings *** Library RequestsLibrary Library Collections Library String *** Variables *** ${BASE_URL} https://your-app.com @{FORBIDDEN} password password_hash token secret ... api_key internal_id debug admin_notes ... stack trace last_login_ip @{ALLOWED_FIELDS} id name email created_at *** Test Cases *** User Response Contains No Forbidden Fields # CVE-2024-25124 pattern: assert absence of sensitive fields Create Session app ${BASE_URL} ${response}= GET On Session app /users/123 ${body}= Set Variable ${response.json()} FOR ${field} IN @{FORBIDDEN} Dictionary Should Not Contain Key ${body} ${field} ... msg=Sensitive field '${field}' exposed in response END User Response Schema Allowlist Enforced Create Session app ${BASE_URL} ${response}= GET On Session app /users/123 ${body}= Set Variable ${response.json()} ${keys}= Get Dictionary Keys ${body} FOR ${key} IN @{keys} Should Contain ${ALLOWED_FIELDS} ${key} ... msg=Unexpected field '${key}' found in response END Error Response Contains No Stack Trace Create Session app ${BASE_URL} ${response}= GET On Session app /users/invalid-id-trigger-500 ... expected_status=any ${body}= Set Variable ${response.text} Should Not Contain ${body} Traceback Should Not Contain ${body} at line Should Not Contain ${body} Exception Should Not Contain ${body} File " Should Not Contain ${body} sqlalchemy Should Not Contain ${body} psycopg2 CORS No Wildcard On Authenticated Endpoint # CVE-2024-25124: wildcard origin + credentials = data exposed ${headers}= Create Dictionary Origin=https://attacker.com Create Session app ${BASE_URL} ${response}= GET On Session app /users/123 headers=${headers} ${acao}= Get From Dictionary ${response.headers} ... Access-Control-Allow-Origin default=${EMPTY} Should Not Be Equal ${acao} * ... msg=Wildcard CORS on authenticated endpoint exposes data Security Headers Present And Disclosure Headers Absent Create Session app ${BASE_URL} ${response}= GET On Session app /users/123 Dictionary Should Not Contain Key ${response.headers} X-Powered-By Dictionary Should Not Contain Key ${response.headers} Server ${xcto}= Get From Dictionary ${response.headers} ... X-Content-Type-Options default=${EMPTY} Should Be Equal ${xcto} nosniff </code></pre> </div> <h3> TypeScript — Playwright API testing </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">test</span><span class="p">,</span> <span class="nx">expect</span><span class="p">,</span> <span class="nx">APIRequestContext</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@playwright/test</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">FORBIDDEN_FIELDS</span> <span class="o">=</span> <span class="p">[</span> <span class="dl">'</span><span class="s1">password</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">password_hash</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">token</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">secret</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">api_key</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">internal_id</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">debug</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">admin_notes</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">stack</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">trace</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">last_login_ip</span><span class="dl">'</span> <span class="p">];</span> <span class="kd">const</span> <span class="nx">ALLOWED_USER_FIELDS</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Set</span><span class="p">([</span><span class="dl">'</span><span class="s1">id</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">name</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">email</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">created_at</span><span class="dl">'</span><span class="p">]);</span> <span class="kd">const</span> <span class="nx">STACK_TRACE_MARKERS</span> <span class="o">=</span> <span class="p">[</span> <span class="dl">'</span><span class="s1">Traceback</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">at line</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Exception</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">File "</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">django</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">sqlalchemy</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">psycopg2</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">pymongo</span><span class="dl">'</span> <span class="p">];</span> <span class="kd">let</span> <span class="nx">apiContext</span><span class="p">:</span> <span class="nx">APIRequestContext</span><span class="p">;</span> <span class="nx">test</span><span class="p">.</span><span class="nf">beforeAll</span><span class="p">(</span><span class="k">async </span><span class="p">({</span> <span class="nx">playwright</span> <span class="p">})</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">apiContext</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">playwright</span><span class="p">.</span><span class="nx">request</span><span class="p">.</span><span class="nf">newContext</span><span class="p">({</span> <span class="na">baseURL</span><span class="p">:</span> <span class="dl">'</span><span class="s1">https://your-app.com</span><span class="dl">'</span><span class="p">,</span> <span class="p">});</span> <span class="k">await</span> <span class="nx">apiContext</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">/login</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">data</span><span class="p">:</span> <span class="p">{</span> <span class="na">username</span><span class="p">:</span> <span class="dl">'</span><span class="s1">testuser</span><span class="dl">'</span><span class="p">,</span> <span class="na">password</span><span class="p">:</span> <span class="dl">'</span><span class="s1">test_password</span><span class="dl">'</span> <span class="p">}</span> <span class="p">});</span> <span class="p">});</span> <span class="nx">test</span><span class="p">.</span><span class="nf">afterAll</span><span class="p">(</span><span class="k">async </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">await</span> <span class="nx">apiContext</span><span class="p">.</span><span class="nf">dispose</span><span class="p">();</span> <span class="p">});</span> <span class="nf">test</span><span class="p">(</span><span class="dl">'</span><span class="s1">user response — no forbidden fields exposed</span><span class="dl">'</span><span class="p">,</span> <span class="k">async </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// CVE-2024-25124 pattern: assert what must NOT be in the response</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">apiContext</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/users/123</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">body</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">response</span><span class="p">.</span><span class="nf">json</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">exposed</span> <span class="o">=</span> <span class="nx">FORBIDDEN_FIELDS</span><span class="p">.</span><span class="nf">filter</span><span class="p">(</span><span class="nx">field</span> <span class="o">=&gt;</span> <span class="nx">field</span> <span class="k">in</span> <span class="nx">body</span><span class="p">);</span> <span class="nf">expect</span><span class="p">(</span><span class="nx">exposed</span><span class="p">,</span> <span class="s2">`Sensitive fields exposed: </span><span class="p">${</span><span class="nx">exposed</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="dl">'</span><span class="s1">, </span><span class="dl">'</span><span class="p">)}</span><span class="s2">`</span><span class="p">).</span><span class="nf">toHaveLength</span><span class="p">(</span><span class="mi">0</span><span class="p">);</span> <span class="p">});</span> <span class="nf">test</span><span class="p">(</span><span class="dl">'</span><span class="s1">user response — schema allowlist enforced</span><span class="dl">'</span><span class="p">,</span> <span class="k">async </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// any field outside the allowlist is a contract violation</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">apiContext</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/users/123</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">body</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">response</span><span class="p">.</span><span class="nf">json</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">unexpected</span> <span class="o">=</span> <span class="nb">Object</span><span class="p">.</span><span class="nf">keys</span><span class="p">(</span><span class="nx">body</span><span class="p">).</span><span class="nf">filter</span><span class="p">(</span><span class="nx">key</span> <span class="o">=&gt;</span> <span class="o">!</span><span class="nx">ALLOWED_USER_FIELDS</span><span class="p">.</span><span class="nf">has</span><span class="p">(</span><span class="nx">key</span><span class="p">));</span> <span class="nf">expect</span><span class="p">(</span><span class="nx">unexpected</span><span class="p">,</span> <span class="s2">`Unexpected fields in response: </span><span class="p">${</span><span class="nx">unexpected</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="dl">'</span><span class="s1">, </span><span class="dl">'</span><span class="p">)}</span><span class="s2">`</span><span class="p">).</span><span class="nf">toHaveLength</span><span class="p">(</span><span class="mi">0</span><span class="p">);</span> <span class="p">});</span> <span class="nf">test</span><span class="p">(</span><span class="dl">'</span><span class="s1">error response — no stack trace in body</span><span class="dl">'</span><span class="p">,</span> <span class="k">async </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// deliberately trigger a server error, assert clean generic message</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">apiContext</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/users/invalid-id-trigger-500</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">body</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">response</span><span class="p">.</span><span class="nf">text</span><span class="p">();</span> <span class="k">for </span><span class="p">(</span><span class="kd">const</span> <span class="nx">marker</span> <span class="k">of</span> <span class="nx">STACK_TRACE_MARKERS</span><span class="p">)</span> <span class="p">{</span> <span class="nf">expect</span><span class="p">(</span><span class="nx">body</span><span class="p">,</span> <span class="s2">`Stack trace marker '</span><span class="p">${</span><span class="nx">marker</span><span class="p">}</span><span class="s2">' found in error response`</span><span class="p">)</span> <span class="p">.</span><span class="nx">not</span><span class="p">.</span><span class="nf">toContain</span><span class="p">(</span><span class="nx">marker</span><span class="p">);</span> <span class="p">}</span> <span class="p">});</span> <span class="nf">test</span><span class="p">(</span><span class="dl">'</span><span class="s1">CORS — no wildcard origin on authenticated endpoint</span><span class="dl">'</span><span class="p">,</span> <span class="k">async </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// CVE-2024-25124: wildcard + credentials = any origin reads response</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">apiContext</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/users/123</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">Origin</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">https://attacker.com</span><span class="dl">'</span> <span class="p">}</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">acao</span> <span class="o">=</span> <span class="nx">response</span><span class="p">.</span><span class="nf">headers</span><span class="p">()[</span><span class="dl">'</span><span class="s1">access-control-allow-origin</span><span class="dl">'</span><span class="p">]</span> <span class="o">??</span> <span class="dl">''</span><span class="p">;</span> <span class="nf">expect</span><span class="p">(</span><span class="nx">acao</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Wildcard CORS on authenticated endpoint exposes data</span><span class="dl">'</span><span class="p">)</span> <span class="p">.</span><span class="nx">not</span><span class="p">.</span><span class="nf">toBe</span><span class="p">(</span><span class="dl">'</span><span class="s1">*</span><span class="dl">'</span><span class="p">);</span> <span class="p">});</span> <span class="nf">test</span><span class="p">(</span><span class="dl">'</span><span class="s1">security headers — disclosure headers absent</span><span class="dl">'</span><span class="p">,</span> <span class="k">async </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">apiContext</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/users/123</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">headers</span> <span class="o">=</span> <span class="nx">response</span><span class="p">.</span><span class="nf">headers</span><span class="p">();</span> <span class="nf">expect</span><span class="p">(</span><span class="nx">headers</span><span class="p">[</span><span class="dl">'</span><span class="s1">x-powered-by</span><span class="dl">'</span><span class="p">],</span> <span class="dl">'</span><span class="s1">X-Powered-By discloses server technology</span><span class="dl">'</span><span class="p">)</span> <span class="p">.</span><span class="nf">toBeUndefined</span><span class="p">();</span> <span class="nf">expect</span><span class="p">(</span><span class="nx">headers</span><span class="p">[</span><span class="dl">'</span><span class="s1">x-content-type-options</span><span class="dl">'</span><span class="p">]).</span><span class="nf">toBe</span><span class="p">(</span><span class="dl">'</span><span class="s1">nosniff</span><span class="dl">'</span><span class="p">);</span> <span class="p">});</span> <span class="nf">test</span><span class="p">(</span><span class="dl">'</span><span class="s1">session cookie — Secure and HttpOnly flags present</span><span class="dl">'</span><span class="p">,</span> <span class="k">async </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">apiContext</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">/login</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">data</span><span class="p">:</span> <span class="p">{</span> <span class="na">username</span><span class="p">:</span> <span class="dl">'</span><span class="s1">testuser</span><span class="dl">'</span><span class="p">,</span> <span class="na">password</span><span class="p">:</span> <span class="dl">'</span><span class="s1">test_password</span><span class="dl">'</span> <span class="p">}</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">setCookie</span> <span class="o">=</span> <span class="nx">response</span><span class="p">.</span><span class="nf">headers</span><span class="p">()[</span><span class="dl">'</span><span class="s1">set-cookie</span><span class="dl">'</span><span class="p">]</span> <span class="o">??</span> <span class="dl">''</span><span class="p">;</span> <span class="nf">expect</span><span class="p">(</span><span class="nx">setCookie</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Session cookie missing Secure flag</span><span class="dl">'</span><span class="p">).</span><span class="nf">toContain</span><span class="p">(</span><span class="dl">'</span><span class="s1">Secure</span><span class="dl">'</span><span class="p">);</span> <span class="nf">expect</span><span class="p">(</span><span class="nx">setCookie</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Session cookie missing HttpOnly flag</span><span class="dl">'</span><span class="p">).</span><span class="nf">toContain</span><span class="p">(</span><span class="dl">'</span><span class="s1">HttpOnly</span><span class="dl">'</span><span class="p">);</span> <span class="p">});</span> </code></pre> </div> <p>Run data exposure tests in isolation:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npx playwright <span class="nb">test</span> <span class="nt">--grep</span> <span class="s2">"CORS|schema|forbidden|stack trace|cookie"</span> </code></pre> </div> <h3> CI/CD gate </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">sensitive-data-exposure-tests</span><span class="pi">:</span> <span class="na">stage</span><span class="pi">:</span> <span class="s">test</span> <span class="na">script</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">pytest tests/security/test_data_exposure.py -v</span> <span class="pi">-</span> <span class="s">npx playwright test --grep "CORS|schema|forbidden"</span> <span class="na">rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">if</span><span class="pi">:</span> <span class="s1">'</span><span class="s">$CI_PIPELINE_SOURCE</span><span class="nv"> </span><span class="s">==</span><span class="nv"> </span><span class="s">"merge_request_event"'</span> <span class="na">allow_failure</span><span class="pi">:</span> <span class="kc">false</span> </code></pre> </div> <p>Pair with a Semgrep rule that flags direct model serialization without a DTO layer — the static check catches the pattern before deployment, the runtime tests confirm enforcement in the running application.</p> <h3> Environment note </h3> <p>Sensitive data exposure behaves differently across environments because debug settings change between development and production. A stack trace that appears in staging because <code>DEBUG=True</code> never makes it to production if someone remembered to flip the flag — but the test only ran in staging, so the gap is invisible.</p> <p>Always run response content validation tests against a production-mirrored environment with debug mode explicitly disabled.</p> <p>🔬 <strong>Practice this yourself:</strong> <a href="https://yuriysafron.com/qa-sandbox/sensitive-data/" rel="noopener noreferrer">yuriysafron.com/qa-sandbox</a></p> <h2> Why AI fails here </h2> <p>When a team asks GitHub Copilot to write tests for a user profile endpoint, it writes tests that assert the response contains the correct name, email, and profile fields. The tests pass. The suite is green.</p> <p>Nobody generated a test that asserts the response does not also contain <code>password_hash</code>, <code>internal_user_id</code>, or a debug object left in the serializer six months ago.</p> <p>The structural reason LLMs fail at this class: <strong>sensitive data exposure is defined by what should not be present, not by what should.</strong> LLMs generate tests by modeling the expected output of a function. They do not model the set of all outputs that would constitute a violation.</p> <p>Testing for absence requires knowing the full allowlist of permitted data — a design decision that lives outside the code itself. No amount of reading the handler implementation tells you that the password field should never appear in the response, because that information lives in a compliance document or a threat model, not in the source code.</p> <p>The concrete failure: a team builds a user management API. Copilot generates a full test suite. Every endpoint is covered. Three months after launch, a security researcher reports that <code>GET /users/:id</code> returns a hashed password and a <code>last_login_ip</code> field. The AI generated suite asserted the name and email were correct. It never asserted those two fields were absent. The data had been in every response since the first deployment. No test had ever looked for it.</p> <h2> How to prevent </h2> <p><strong>1. Response allowlist at the serialization layer</strong> - every API response must pass through a DTO that explicitly enumerates the fields allowed in the output. Nothing from the underlying domain model reaches the client unless it was deliberately placed in the DTO. Making implicit serialization impossible in your framework configuration means returning a raw model object is a runtime error, not a silent data leak.</p> <p><strong>2. Error response hardening</strong> — error handlers must return a generic message. Stack traces, exception class names, file paths, database driver information, and ORM query strings must never reach the client. This must be tested explicitly in CI against a production-mirrored environment with debug mode disabled.</p> <p><strong>3. Header security as a pipeline gate</strong> — every deployment must pass a header check that validates required security headers and the absence of disclosure headers. CORS headers must be validated against a known allowlist of permitted origins for every authenticated endpoint. This runs as a blocking post-deployment check, not a manual review before release.</p> <p>Prevention only works when it is tested. A DTO layer that exists is not the same as a DTO layer that is verified to contain only the fields it should. The test suite is the enforcement mechanism. Without it, the prevention is a convention, not a guarantee.</p> <h2> Conclusion </h2> <p>Working on a cybersecurity platform protecting U.S. critical infrastructure and multiple branches of the U.S. military sharpens your sense of what "sensitive" means in practice. In those environments, a leaked internal ID is not a minor finding. It is reconnaissance.</p> <p>Sensitive Data Exposure separates teams who think about what their API must <strong>return</strong> from teams who think only about what their API must <strong>do</strong>. The second group ships data they never intended to expose.</p> <p>Always in a field nobody thought to look for. Always in a response that was otherwise working perfectly.</p> <p><em>When did your team last audit your API responses for fields that should not be there and do you have a test that would catch a new one being added tomorrow?</em></p> <p><em>Part of the **Break It on Purpose</em>* series, published weekly for QA <br> engineers and SDETs who find bugs before attackers do.*</p> <p>🔬 Practice sandbox: <a href="https://yuriysafron.com/qa-sandbox/sensitive-data/" rel="noopener noreferrer">yuriysafron.com/qa-sandbox</a><br><br> 🔗 <a href="https://linkedin.com/in/yuriysafronnynov" rel="noopener noreferrer">linkedin.com/in/yuriy-safronnynov</a></p> security testing python webdev CSRF. The Bug That Looks Like Legitimate Traffic Yuriy Safronnynov Sun, 12 Apr 2026 14:00:00 +0000 https://forem.com/safron/csrf-the-bug-that-looks-like-legitimate-traffic-1l55 https://forem.com/safron/csrf-the-bug-that-looks-like-legitimate-traffic-1l55 <p>Your admin panel processes a state-changing request. The user is authenticated. The session cookie is valid. The server accepts it. The attacker wins.</p> <p>This is not a dramatic exploit. It is the server doing its job, faithfully executing a request it was never supposed to accept, because nobody thought to ask where the request actually came from.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fy2lfv5pohovmfoulhzkc.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fy2lfv5pohovmfoulhzkc.png" alt="Vulnerable Path, CSRF Attack Flow, Secure Path" width="800" height="417"></a></p> <h2> TL;DR </h2> <ul> <li>CSRF lets an attacker forge authenticated requests from a victim's browser. The server sees a valid session and executes the action.</li> <li>CVE-2024-1538 exposed over 1 million WordPress sites via missing nonce validation. CVSS 8.8. Patched in File Manager 7.2.5.</li> <li>Happy-path tests never catch this. You have to explicitly test the rejection path: missing token, invalid token, no state mutation.</li> <li>Three layers of prevention: synchronizer tokens at middleware level, SameSite cookie attributes, Origin header validation.</li> <li>AI-generated test suites create false confidence here. They test the correct flow, not the forged one.</li> </ul> <h2> What it is </h2> <p>Cross-Site Request Forgery tricks an authenticated user's browser into sending a request to your application on behalf of an attacker. The browser does what browsers do: it automatically attaches session cookies to every request. The server sees a valid cookie and processes the request. The user never saw the form that submitted it.</p> <p>The technical condition that makes this possible: HTTP cookies are sent automatically on every matching request regardless of origin. If your server does not verify that a state-changing request came from your own application, any page on the web can forge one.</p> <p>Developers introduce this without malice. They build the happy path, test the happy path, and ship the happy path. Cross-origin validation is not something most developers think about while building a file rename feature. In code review, reviewers look for logic errors, but never for the presence of CSRF tokens on every mutating endpoint.</p> <p>The attack surface is the assumption that <strong>authenticated</strong> means <strong>authorized-to-have-submitted-this-form</strong>.</p> <h2> Real world damage </h2> <p><strong>CVE-2024-1538 · WordPress File Manager · March 2024 · CVSS 8.8</strong></p> <p>In March 2024, a CSRF vulnerability was disclosed in the WordPress File Manager plugin, active on over 1 million websites. The flaw stemmed from missing nonce validation on the <code>wp_file_manager</code> page when handling the <code>lang</code> parameter.</p> <p>An attacker could trick an authenticated administrator into clicking a crafted link, which would include a local JavaScript file into the application and open the door to remote code execution.</p> <p>No credentials required. No brute force. Only a logged-in admin who <br> clicked something.</p> <blockquote> <p>Source: <a href="https://nvd.nist.gov/vuln/detail/CVE-2024-1538" rel="noopener noreferrer">NVD CVE-2024-1538</a>, <br> published March 21, 2024. Affected all versions up to 7.2.4. <br> Patched in 7.2.5. Credit: Wordfence for responsible disclosure.</p> </blockquote> <p>A QA engineer running cross-origin state-change tests before 7.2.5 <br> would have caught this. The test is not complex: submit a mutating <br> request with a missing or incorrect nonce and assert the server rejects it. That test did not exist. The vulnerability shipped to a million sites.</p> <h2> The invisible bug problem </h2> <p>Happy-path tests authenticate as a real user and send requests exactly as the application intends. That is the problem. <br> CSRF is not about whether the endpoint works correctly for a legitimate request. It is about whether the server validates that the request is legitimate at all.</p> <p>Your test suite exercises the authenticated user path and passes. The attack exploits the same path from an external origin and also passes, from the server's perspective.</p> <p>The bug only surfaces when the test asks a different question:</p> <blockquote> <p>Does this endpoint accept a state-changing request that arrives <br> without a valid CSRF token?</p> </blockquote> <p>Standard test suites never ask that. They test that the endpoint <br> responds correctly. They do not test that the endpoint <strong>refuses incorrectly</strong>.</p> <h2> How QA engineers catch it </h2> <p>The core principle: every state-changing endpoint must reject requests that arrive without a valid CSRF token. Your suite needs to verify the <strong>rejection path</strong>, not just the success path.</p> <h3> PyTest </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">pytest</span> <span class="kn">import</span> <span class="n">requests</span> <span class="n">BASE_URL</span> <span class="o">=</span> <span class="sh">"</span><span class="s">https://your-app.com</span><span class="sh">"</span> <span class="nd">@pytest.fixture</span> <span class="k">def</span> <span class="nf">auth_session</span><span class="p">():</span> <span class="n">session</span> <span class="o">=</span> <span class="n">requests</span><span class="p">.</span><span class="nc">Session</span><span class="p">()</span> <span class="n">session</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">BASE_URL</span><span class="si">}</span><span class="s">/login</span><span class="sh">"</span><span class="p">,</span> <span class="n">json</span><span class="o">=</span><span class="p">{</span> <span class="sh">"</span><span class="s">username</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">admin</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">password</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">test_password</span><span class="sh">"</span> <span class="p">})</span> <span class="k">return</span> <span class="n">session</span> <span class="k">def</span> <span class="nf">test_csrf_empty_token_returns_403</span><span class="p">(</span><span class="n">auth_session</span><span class="p">):</span> <span class="c1"># CVE-2024-1538 pattern: missing nonce = server must reject </span> <span class="n">response</span> <span class="o">=</span> <span class="n">auth_session</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span> <span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">BASE_URL</span><span class="si">}</span><span class="s">/admin/file/rename</span><span class="sh">"</span><span class="p">,</span> <span class="n">json</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">old_name</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">file.txt</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">new_name</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">hacked.txt</span><span class="sh">"</span><span class="p">},</span> <span class="n">headers</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">X-CSRF-Token</span><span class="sh">"</span><span class="p">:</span> <span class="sh">""</span><span class="p">}</span> <span class="p">)</span> <span class="k">assert</span> <span class="n">response</span><span class="p">.</span><span class="n">status_code</span> <span class="o">==</span> <span class="mi">403</span> <span class="k">def</span> <span class="nf">test_csrf_forged_token_returns_403</span><span class="p">(</span><span class="n">auth_session</span><span class="p">):</span> <span class="c1"># attacker-controlled token value must be rejected </span> <span class="n">response</span> <span class="o">=</span> <span class="n">auth_session</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span> <span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">BASE_URL</span><span class="si">}</span><span class="s">/admin/file/rename</span><span class="sh">"</span><span class="p">,</span> <span class="n">json</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">old_name</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">file.txt</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">new_name</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">hacked.txt</span><span class="sh">"</span><span class="p">},</span> <span class="n">headers</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">X-CSRF-Token</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">attacker-forged-token-abc123</span><span class="sh">"</span><span class="p">}</span> <span class="p">)</span> <span class="k">assert</span> <span class="n">response</span><span class="p">.</span><span class="n">status_code</span> <span class="o">==</span> <span class="mi">403</span> <span class="k">def</span> <span class="nf">test_csrf_no_state_mutation</span><span class="p">(</span><span class="n">auth_session</span><span class="p">):</span> <span class="c1"># 403 is necessary but not sufficient — assert state did not change </span> <span class="n">auth_session</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span> <span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">BASE_URL</span><span class="si">}</span><span class="s">/admin/file/rename</span><span class="sh">"</span><span class="p">,</span> <span class="n">json</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">old_name</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">file.txt</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">new_name</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">hacked.txt</span><span class="sh">"</span><span class="p">},</span> <span class="n">headers</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">X-CSRF-Token</span><span class="sh">"</span><span class="p">:</span> <span class="sh">""</span><span class="p">}</span> <span class="p">)</span> <span class="n">response</span> <span class="o">=</span> <span class="n">auth_session</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">BASE_URL</span><span class="si">}</span><span class="s">/admin/files</span><span class="sh">"</span><span class="p">)</span> <span class="n">files</span> <span class="o">=</span> <span class="n">response</span><span class="p">.</span><span class="nf">json</span><span class="p">()[</span><span class="sh">"</span><span class="s">files</span><span class="sh">"</span><span class="p">]</span> <span class="k">assert</span> <span class="sh">"</span><span class="s">hacked.txt</span><span class="sh">"</span> <span class="ow">not</span> <span class="ow">in</span> <span class="n">files</span> <span class="k">assert</span> <span class="sh">"</span><span class="s">file.txt</span><span class="sh">"</span> <span class="ow">in</span> <span class="n">files</span> </code></pre> </div> <p>A 403 status is necessary but not sufficient. If the server returns 403 but still processes the action, you have a different kind of bug. <br> <strong>Assert the state, not just the status.</strong></p> <h3> Robot Framework </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>*** Settings *** Library RequestsLibrary *** Variables *** ${BASE_URL} https://your-app.com *** Test Cases *** CSRF Empty Token On File Rename Returns 403 # CVE-2024-1538: missing nonce on file manager endpoint Create Session app ${BASE_URL} ${headers}= Create Dictionary X-CSRF-Token=${EMPTY} ${response}= POST On Session app /admin/file/rename ... json={"old_name": "file.txt", "new_name": "hacked.txt"} ... headers=${headers} Should Be Equal As Strings ${response.status_code} 403 CSRF Forged Token On File Rename Returns 403 Create Session app ${BASE_URL} ${headers}= Create Dictionary ... X-CSRF-Token=attacker-forged-token-abc123 ${response}= POST On Session app /admin/file/rename ... json={"old_name": "file.txt", "new_name": "hacked.txt"} ... headers=${headers} Should Be Equal As Strings ${response.status_code} 403 CSRF Missing Token On Lang Parameter Returns 403 # mirrors exact CVE-2024-1538 attack surface: # lang parameter on wp_file_manager with no nonce validation Create Session app ${BASE_URL} ${headers}= Create Dictionary X-CSRF-Token=${EMPTY} ${response}= POST On Session app /admin/file-manager ... json={"lang": "../../../malicious.js"} ... headers=${headers} Should Be Equal As Strings ${response.status_code} 403 CSRF No State Mutation When Token Missing Create Session app ${BASE_URL} ${headers}= Create Dictionary X-CSRF-Token=${EMPTY} POST On Session app /admin/file/rename ... json={"old_name": "file.txt", "new_name": "hacked.txt"} ... headers=${headers} ${files_response}= GET On Session app /admin/files Should Not Contain ${files_response.json()["files"]} hacked.txt Should Contain ${files_response.json()["files"]} file.txt </code></pre> </div> <h3> TypeScript — Playwright API testing </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">test</span><span class="p">,</span> <span class="nx">expect</span><span class="p">,</span> <span class="nx">APIRequestContext</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@playwright/test</span><span class="dl">'</span><span class="p">;</span> <span class="kd">let</span> <span class="nx">apiContext</span><span class="p">:</span> <span class="nx">APIRequestContext</span><span class="p">;</span> <span class="nx">test</span><span class="p">.</span><span class="nf">beforeAll</span><span class="p">(</span><span class="k">async </span><span class="p">({</span> <span class="nx">playwright</span> <span class="p">})</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">apiContext</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">playwright</span><span class="p">.</span><span class="nx">request</span><span class="p">.</span><span class="nf">newContext</span><span class="p">({</span> <span class="na">baseURL</span><span class="p">:</span> <span class="dl">'</span><span class="s1">https://your-app.com</span><span class="dl">'</span><span class="p">,</span> <span class="p">});</span> <span class="c1">// authenticate once, reuse session across all CSRF tests</span> <span class="k">await</span> <span class="nx">apiContext</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">/login</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">data</span><span class="p">:</span> <span class="p">{</span> <span class="na">username</span><span class="p">:</span> <span class="dl">'</span><span class="s1">admin</span><span class="dl">'</span><span class="p">,</span> <span class="na">password</span><span class="p">:</span> <span class="dl">'</span><span class="s1">test_password</span><span class="dl">'</span> <span class="p">}</span> <span class="p">});</span> <span class="p">});</span> <span class="nx">test</span><span class="p">.</span><span class="nf">afterAll</span><span class="p">(</span><span class="k">async </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">await</span> <span class="nx">apiContext</span><span class="p">.</span><span class="nf">dispose</span><span class="p">();</span> <span class="p">});</span> <span class="nf">test</span><span class="p">(</span><span class="dl">'</span><span class="s1">CSRF — empty token on file rename returns 403</span><span class="dl">'</span><span class="p">,</span> <span class="k">async </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// CVE-2024-1538 pattern: missing nonce = server must reject</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">apiContext</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">/admin/file/rename</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">data</span><span class="p">:</span> <span class="p">{</span> <span class="na">old_name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">file.txt</span><span class="dl">'</span><span class="p">,</span> <span class="na">new_name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">hacked.txt</span><span class="dl">'</span> <span class="p">},</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">X-CSRF-Token</span><span class="dl">'</span><span class="p">:</span> <span class="dl">''</span> <span class="p">}</span> <span class="p">});</span> <span class="nf">expect</span><span class="p">(</span><span class="nx">response</span><span class="p">.</span><span class="nf">status</span><span class="p">()).</span><span class="nf">toBe</span><span class="p">(</span><span class="mi">403</span><span class="p">);</span> <span class="p">});</span> <span class="nf">test</span><span class="p">(</span><span class="dl">'</span><span class="s1">CSRF — forged token on file rename returns 403</span><span class="dl">'</span><span class="p">,</span> <span class="k">async </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// attacker-controlled token value must be rejected</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">apiContext</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">/admin/file/rename</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">data</span><span class="p">:</span> <span class="p">{</span> <span class="na">old_name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">file.txt</span><span class="dl">'</span><span class="p">,</span> <span class="na">new_name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">hacked.txt</span><span class="dl">'</span> <span class="p">},</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">X-CSRF-Token</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">attacker-forged-token-abc123</span><span class="dl">'</span> <span class="p">}</span> <span class="p">});</span> <span class="nf">expect</span><span class="p">(</span><span class="nx">response</span><span class="p">.</span><span class="nf">status</span><span class="p">()).</span><span class="nf">toBe</span><span class="p">(</span><span class="mi">403</span><span class="p">);</span> <span class="p">});</span> <span class="nf">test</span><span class="p">(</span><span class="dl">'</span><span class="s1">CSRF — missing token on lang parameter returns 403</span><span class="dl">'</span><span class="p">,</span> <span class="k">async </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// mirrors exact CVE-2024-1538 attack surface:</span> <span class="c1">// lang parameter on wp_file_manager page, no nonce validation</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">apiContext</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">/admin/file-manager</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">data</span><span class="p">:</span> <span class="p">{</span> <span class="na">lang</span><span class="p">:</span> <span class="dl">'</span><span class="s1">../../../malicious.js</span><span class="dl">'</span> <span class="p">},</span> <span class="p">});</span> <span class="nf">expect</span><span class="p">(</span><span class="nx">response</span><span class="p">.</span><span class="nf">status</span><span class="p">()).</span><span class="nf">toBe</span><span class="p">(</span><span class="mi">403</span><span class="p">);</span> <span class="p">});</span> <span class="nf">test</span><span class="p">(</span><span class="dl">'</span><span class="s1">CSRF — no state mutation when token is missing</span><span class="dl">'</span><span class="p">,</span> <span class="k">async </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">await</span> <span class="nx">apiContext</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">/admin/file/rename</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">data</span><span class="p">:</span> <span class="p">{</span> <span class="na">old_name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">file.txt</span><span class="dl">'</span><span class="p">,</span> <span class="na">new_name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">hacked.txt</span><span class="dl">'</span> <span class="p">},</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">X-CSRF-Token</span><span class="dl">'</span><span class="p">:</span> <span class="dl">''</span> <span class="p">}</span> <span class="p">});</span> <span class="c1">// state must be unchanged — file must not have been renamed</span> <span class="kd">const</span> <span class="nx">files</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">apiContext</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/admin/files</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">body</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">files</span><span class="p">.</span><span class="nf">json</span><span class="p">();</span> <span class="nf">expect</span><span class="p">(</span><span class="nx">body</span><span class="p">.</span><span class="nx">files</span><span class="p">).</span><span class="nx">not</span><span class="p">.</span><span class="nf">toContain</span><span class="p">(</span><span class="dl">'</span><span class="s1">hacked.txt</span><span class="dl">'</span><span class="p">);</span> <span class="nf">expect</span><span class="p">(</span><span class="nx">body</span><span class="p">.</span><span class="nx">files</span><span class="p">).</span><span class="nf">toContain</span><span class="p">(</span><span class="dl">'</span><span class="s1">file.txt</span><span class="dl">'</span><span class="p">);</span> <span class="p">});</span> <span class="nf">test</span><span class="p">(</span><span class="dl">'</span><span class="s1">CSRF — valid token on file rename succeeds</span><span class="dl">'</span><span class="p">,</span> <span class="k">async </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// confirm the protection does not block legitimate requests</span> <span class="kd">const</span> <span class="nx">tokenResponse</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">apiContext</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/csrf-token</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">token</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">tokenResponse</span><span class="p">.</span><span class="nf">json</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">apiContext</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">/admin/file/rename</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">data</span><span class="p">:</span> <span class="p">{</span> <span class="na">old_name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">file.txt</span><span class="dl">'</span><span class="p">,</span> <span class="na">new_name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">renamed.txt</span><span class="dl">'</span> <span class="p">},</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">X-CSRF-Token</span><span class="dl">'</span><span class="p">:</span> <span class="nx">token</span> <span class="p">}</span> <span class="p">});</span> <span class="nf">expect</span><span class="p">(</span><span class="nx">response</span><span class="p">.</span><span class="nf">status</span><span class="p">()).</span><span class="nf">toBe</span><span class="p">(</span><span class="mi">200</span><span class="p">);</span> <span class="p">});</span> </code></pre> </div> <p>Run CSRF tests in isolation:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npx playwright <span class="nb">test</span> <span class="nt">--grep</span> <span class="s2">"CSRF"</span> </code></pre> </div> <p><code>playwright.config.ts</code> for CI:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">defineConfig</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@playwright/test</span><span class="dl">'</span><span class="p">;</span> <span class="k">export</span> <span class="k">default</span> <span class="nf">defineConfig</span><span class="p">({</span> <span class="na">testDir</span><span class="p">:</span> <span class="dl">'</span><span class="s1">./tests/security</span><span class="dl">'</span><span class="p">,</span> <span class="na">use</span><span class="p">:</span> <span class="p">{</span> <span class="na">baseURL</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">APP_URL</span> <span class="o">||</span> <span class="dl">'</span><span class="s1">https://your-app.com</span><span class="dl">'</span><span class="p">,</span> <span class="p">},</span> <span class="na">projects</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">csrf-security</span><span class="dl">'</span><span class="p">,</span> <span class="na">testMatch</span><span class="p">:</span> <span class="dl">'</span><span class="s1">**/csrf.spec.ts</span><span class="dl">'</span><span class="p">,</span> <span class="p">}</span> <span class="p">]</span> <span class="p">});</span> </code></pre> </div> <h3> CI/CD gate </h3> <p>These tests belong in GitLab CI as a <strong>blocking job on every merge <br> request</strong> — not an optional security scan that runs weekly.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">csrf-security-tests</span><span class="pi">:</span> <span class="na">stage</span><span class="pi">:</span> <span class="s">test</span> <span class="na">script</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">pytest tests/security/test_csrf.py -v</span> <span class="pi">-</span> <span class="s">npx playwright test --grep "CSRF"</span> <span class="na">rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">if</span><span class="pi">:</span> <span class="s1">'</span><span class="s">$CI_PIPELINE_SOURCE</span><span class="nv"> </span><span class="s">==</span><span class="nv"> </span><span class="s">"merge_request_event"'</span> <span class="na">allow_failure</span><span class="pi">:</span> <span class="kc">false</span> </code></pre> </div> <p>A 200 response on a missing-token request is an unambiguous pipeline failure condition. Pair with a Semgrep static analysis job that scans for route handlers missing CSRF middleware — the static check catches the pattern before deployment, the runtime tests confirm enforcement in the running application.</p> <h3> Burp Suite </h3> <p>Before writing a single automated test, use Burp Suite to map your <br> attack surface. Intercept a legitimate authenticated request to an admin endpoint, strip the CSRF token from the headers, and replay it. If it returns 200, you have a confirmed finding. Ten minutes per endpoint tells you where the gaps are before you spend time automating.</p> <h3> Environment note </h3> <p>Running CSRF tests locally is not the same as running them against your full stack. Some CDN edge configurations strip custom headers, including your CSRF token, before the request reaches the application server. A request that correctly returns 403 locally may return 200 in staging because the CDN silently dropped the token. Always run your CSRF suite against an environment that mirrors the full production network path.</p> <p>🔬 <strong>Practice this yourself:</strong> <a href="https://yuriysafron.com/qa-sandbox/csrf/" rel="noopener noreferrer">yuriysafron.com/qa-sandbox/csrf</a></p> <h2> Why AI fails here </h2> <p>When a team asks GitHub Copilot to generate CSRF tests, what they get is a test that logs in, submits a form with a valid token, and asserts a 200 response. The test passes. The team sees green and believes they have CSRF coverage.</p> <p>They have a happy-path test with a CSRF token in it. That is not the same thing.</p> <p>The structural reason LLMs cannot reason about this vulnerability class: <strong>CSRF is a relationship between origins, not a property of a single request.</strong> <br> LLMs generate tests in isolation. They model what a correct request looks like. They do not model what a forged request from an attacker-controlled page looks like.</p> <p>The concrete failure: a team ships a new admin file management module. All AI-generated tests pass. A researcher finds CVE-2024-1538 class behavior three weeks after release. The rename endpoint accepts requests with no token at all. The AI-generated suite never submitted a request without a token. The bug was always there. The suite never asked the question that would have found it.</p> <h2> How to prevent </h2> <p><strong>1. Synchronizer token pattern</strong> — implement at the middleware level across every state-changing endpoint. Framework-level enforcement means indvidual developers cannot accidentally skip validation on new endpoints. If each developer must remember to add the check manually, someone will forget. Put it in the middleware.</p> <p><strong>2. SameSite cookie attributes</strong> — <code>SameSite=Strict</code> or <code>SameSite=Lax</code> instructs the browser not to send cookies on cross-origin requests. Defense-in-depth, not a replacement for token validation. Older clients and certain redirect flows can bypass <code>SameSite=Lax</code>.</p> <p><strong>3. Origin and Referer header validation</strong> — the server checks that the <code>Origin</code> header matches its own domain. If it does not match, reject the request. Reliable secondary control when combined with the other two.</p> <p>Prevention only works if your test suite actively verifies each of these controls is enforced. A token pattern that is implemented but never tested is a token pattern that someone will quietly remove in a refactor and you will not know until production.</p> <h2> Conclusion </h2> <p>Working on a cybersecurity platform protecting U.S. critical <br> infrastructure and multiple branches of the U.S. military gives you a specific perspective on what a missed test actually costs.</p> <p>CSRF is not an academic edge case in that environment. It is the kind of gap that ends careers and makes headlines.</p> <p>The tests that matter most are never the ones that verify the feature works. They are the ones that verify the system <strong>refuses to do the wrong thing</strong>. CSRF lives exactly in that gap and most teams have never written a test that looks for it.</p> <p><em>Which endpoint in your current system would fail this test right now?</em></p> <p><em>Part of the **Break It on Purpose</em>* series - published weekly for QA engineers and SDETs who find bugs before attackers do.*</p> <p>🔬 Practice sandbox: <a href="https://yuriysafron.com/qa-sandbox" rel="noopener noreferrer">yuriysafron.com/qa-sandbox</a><br><br> 🔗 <a href="https://linkedin.com/in/yuriy-safronnynov" rel="noopener noreferrer">linkedin.com/in/yuriysafronnynov</a></p> security testing python webdev