Vaadin security page (https://vaadin.com/security) maintains that all requests between the client and the server are included with a user session specific CSRF token.
However, specfically on upload requests (file upload) we do not identify such a mechanism, and we actually got flagged on a penetration test that CSRF prevention is not implemented for that sort of request.
Does anyone know how CSRF token is implemented for file upload in Vaadin? Or is it indeed a vulnerability of the framework?
For uploads, a CSRF token is part of the URL to which the file is being sent (i.e. part of the “action” part of the upload form). The end result is exactly the same as with regular requests sent by the framework: an attacker cannot know everything needed for making the user’s browser send something that would look like a legitimate request without either reading messages sent from the server to that user (i.e. man-in-the-middle) or running JavaScript in the context of the user’s application (i.e. XSS).
The token is not the same one that is used for regular communication, but it is instead generated seprately for each Upload component and stored as part of the user’s session. This actually means that the protection is slightly stronger for upload requests.