CSRF cookie login da yenilenmiyor 12-saat blast radius — Supabase anchor fingerprint (PR #606 CCC F2)

Bursa Heykel 34-yas bagimsiz AppSec consultant + Synack Red Team uyesi Halil 8-yil pentest + research blog @halilbb_sec. Yillik sozlesmeli musteri Bursa Asmazlar Grubu (5-subeli klasik Iskender kebap zinciri) Q2 2026 web-app security audit (admin paneli + siparis akisi + staff PIN auth + Stripe webhook). 3. gun ogleninde primary checklist tamamlandi ama bir bulgu yeterince incelmemis: CSRF token cookie login isleminden sonra yenilenmiyor. OWASP session-fixation defense-in-depth gap. DevTools Application sekmesinde cookies + logout + login + ayni cookie geri kaldi 12h Max-Age auth-state degisikligine duyarsiz. SameSite=Lax + Path=/ + Domain=.thmenu.com hicbiri yanlis degil — endpoint /api/csrf-token YALNIZCA cookie YOKSA fresh token uretiyor varsa pas geciyor. Lab repro sentetik /forgot-password reflected-XSS document.cookie attacker-controlled origin POST kurban CSRF token elinde 12 saat boyunca Stripe webhook manipule POST + staff PIN brute-force + table-session DELETE. **OWASP ASVS V3.4.1**: "session tokens must rotate when user authenticates session upgraded sensitive operations occur." CSRF token bu kapsamda. 3 yanlis teori: (1) login endpoint manuel Set-Cookie csrf-token=... — web-admin 5 auth giris noktasi fragile + forgetfulness-prone; (2) middleware her istek basinda rotate — per-request agresif concurrent tabs race; (3) Supabase auth.onAuthStateChange — client-side only Edge Runtime erisilemez. Adli analiz: apps/web-admin/src/lib/csrf.ts ensureCsrfToken auth-state hic baglanmamis req.cookies.get csrf-token yoksa randomUUID() varsa pass-through. **PR #606 batch CCC F2** canonical fix: HttpOnly sibling cookie csrf-session-anchor = SHA-256(access-token).slice(0, 32). Auth callback apps/web-admin/src/app/auth/callback/route.ts Supabase access-token fingerprint compute + her iki cookie lockstep Set-Cookie. Middleware apps/web-admin/src/middleware.ts her state-changing istek: (a) csrf-token cookie == X-CSRF-Token header (double-submit cookie); (b) csrf-session-anchor fingerprint == recompute(Supabase access-token). Mismatch -> lockstep rotate ikisi de + 403 (idempotent client retry yeni cookies basarili). Edge Runtime SubtleCrypto async — anchor cookie auth callback bir kez precompute middleware sadece string-equal. 32-char (128-bit) collision-resistant cookie size butce alti. Attributes HttpOnly + Secure + SameSite=Strict + Max-Age=43200 + Path=/ middleware-only XSS okuyamaz. Production audit 90-day cross-correlate X-CSRF-Token header + auth-callback rotate events: 0 prior exploit attempt — defense-in-depth not in-the-wild ama acik. Backfill aktif session anchor cookie YOK middleware rotate-and-reject 403 + transparent client retry. Halil €750 Wise bounty + Hall of Fame + Synack engagement priority. LinkedIn 3.1k engagement: "thMenu OWASP session-fixation 4 gun tespit + 6 gun shipped Turkiye open-source security disclosure benchmark." Saana Helsinki Kallio AppSec engineer 8-yil Mandiant FIN reverse engineer + bagimsiz consult Kotipizza zinciri ayni hafta paralel disclosure. **Pattern**: CSRF token auth-state degisiminde rotate edilmeli — issued-once-and-forgot DEGIL. Canonical: HttpOnly sibling anchor cookie + Supabase access-token fingerprint + middleware lockstep rotate triadi. Implementation checklist: (1) csrf-session-anchor HttpOnly+Secure+SameSite=Strict cookie; (2) value = SHA-256(access-token).slice(0, 32); (3) auth callback precompute + Set-Cookie; (4) middleware her state-changing anchor mismatch check; (5) mismatch -> lockstep rotate ikisi de + 403; (6) no migration cron client retry transparent. PR #606 referans.

İlgili makaleler