Estoy ejecutando una prueba de seguridad en un sitio web. La solicitud de inicio de sesión se ve así:
POST /sessions HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://example.com/login/
Cookie: guest_id=v13A143119700248937739; ga=GA1.2.2044559433.1430765006; eu_cn=1; kdt=EYxSZrzMFf9mQfhszqmTBvqOPw9yKfSG1APJHsxj; sess=BAh7CiIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoPY3JlYXRlZF9hdGwrCCAI%252FD5NAToMY3NyZl9p%250AZCIlNDNiN2I5NWEyYzdkY2IyODNiNTI2MjJmN2E4OGUzYzU6B2lkIiVjZGM4%250AZDVlNjk2ZmZiOTUyMTQxNjE2YjFjYTU3NWFjODoJdXNlcmwrB%252BEaIKw%253D--472855fe8d2a70f4327cac502e1d1e916dc0d52f;
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 239
session%5Busername_or_email%5D=bugtest3000%40gmail.com&session%5Bpassword%5D=badpassword&authenticity_token=326c4ad687f74a52359710bad94a2bfce9e4d9d6
Puedo inyectar un segundo authenticity_token
y seguir iniciando sesión. ¿Es este un problema de seguridad?
POST /sessions HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://example.com/login/
Cookie: guest_id=v13A143119700248937739; ga=GA1.2.2044559433.1430765006; eu_cn=1; kdt=EYxSZrzMFf9mQfhszqmTBvqOPw9yKfSG1APJHsxj; sess=BAh7CiIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoPY3JlYXRlZF9hdGwrCCAI%252FD5NAToMY3NyZl9p%250AZCIlNDNiN2I5NWEyYzdkY2IyODNiNTI2MjJmN2E4OGUzYzU6B2lkIiVjZGM4%250AZDVlNjk2ZmZiOTUyMTQxNjE2YjFjYTU3NWFjODoJdXNlcmwrB%252BEaIKw%253D--472855fe8d2a70f4327cac502e1d1e916dc0d52f;
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 239
session%5Busername_or_email%5D=bugtest3000%40gmail.com&session%5Bpassword%5D=badpassword&&scribe_log=&redirect_after_login=%2F&authenticity_token=326c4ad687f74a52359710bad94a2bfce9e4d9d5&authenticity_token=11111111111111111111111111111111111111111111