Don't Trust, Verify! - How I Found a CSRF Bug Hiding in Plain Sight
Patrick O'Doherty
BSidesSF 2025 — Here Be Dragons · Day 2 · Main
A decade-old CSRF protection library called Gorilla CSRF contained a bug in which the entire same-origin enforcement code path was effectively inert in production — because it only ran when the request URL scheme was set to HTTPS, which Go's HTTP server never populates for incoming requests. A misleading test helper in Go's standard library made the unit tests pass green for years. Patrick O'Doherty traced the bug from customer question to root cause, submitted a patch, and found in the process that browser-native fetch metadata request headers can eliminate the entire class of CSRF tooling complexity. ---
AI review
A decade-old CSRF protection library with a dead code path, invisible because Go's httptest.NewRequest generates request objects that can never appear in production — three mutually reinforcing weaknesses that aligned to create a real vulnerability in Gorilla CSRF. Then he closes with the correct answer: fetch metadata headers eliminate the entire attack class. This is how vulnerability research should be presented.