hbase-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ted Yu (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HBASE-15187) Integrate CSRF prevention filter to REST gateway
Date Wed, 24 Feb 2016 17:38:18 GMT

    [ https://issues.apache.org/jira/browse/HBASE-15187?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15163385#comment-15163385
] 

Ted Yu commented on HBASE-15187:
--------------------------------

bq. the equivalent CSRF attack vector in hbase

>From REST section of refguide:

To delete a table, use a DELETE request with the /schema endpoint:
http://example.com:8000<table>/schema

Suppose an attacker hosts a malicious web form on a domain under his control. The form uses
the DELETE action targeting a REST URL. Through social engineering, the attacker tricks an
authenticated user into accessing the form and submitting it.

The browser sends the HTTP DELETE request to the REST gateway.
At REST gateway, the call is executed and user table is dropped

bq. why are our other servlets not also vulnerable

>From the header of JMXJsonServlet:
 \* This servlet is based off of the JMXProxyServlet from Tomcat 7.0.14. It has
 \* been rewritten to be read only and to output in a JSON format so it is not
 \* really that close to the original.

As you may be aware of, GET is permitted method defined by RestCsrfPreventionFilter:
{code}
+  static String REST_CSRF_METHODS_TO_IGNORE_DEFAULT = "GET,OPTIONS,HEAD,TRACE";
{code}
This means that read-only web pages such as those provided by JMXProxyServlet are outside
the scope of RestCsrfPreventionFilter.

w.r.t. using ESAPI to counter CSRF attacks, let me do a bit more homework.
Will get back.

> Integrate CSRF prevention filter to REST gateway
> ------------------------------------------------
>
>                 Key: HBASE-15187
>                 URL: https://issues.apache.org/jira/browse/HBASE-15187
>             Project: HBase
>          Issue Type: Bug
>            Reporter: Ted Yu
>            Assignee: Ted Yu
>         Attachments: HBASE-15187.v1.patch, HBASE-15187.v2.patch, HBASE-15187.v3.patch,
HBASE-15187.v4.patch, HBASE-15187.v5.patch, HBASE-15187.v6.patch, HBASE-15187.v7.patch, HBASE-15187.v8.patch
>
>
> HADOOP-12691 introduced a filter in Hadoop Common to help REST APIs guard against cross-site
request forgery attacks.
> This issue tracks the integration of that filter into HBase REST gateway.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message