hbase-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ted Yu (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (HBASE-15187) Integrate CSRF prevention filter to REST gateway
Date Wed, 24 Feb 2016 19:16:18 GMT

     [ https://issues.apache.org/jira/browse/HBASE-15187?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Ted Yu updated HBASE-15187:
---------------------------
    Description: 
HADOOP-12691 introduced a filter in Hadoop Common to help REST APIs guard against cross-site
request forgery attacks.

This issue tracks the integration of that filter into HBase REST gateway.

>From REST section of refguide:

To delete a table, use a DELETE request with the /schema endpoint:
http://example.com:8000<table>/schema

Suppose an attacker hosts a malicious web form on a domain under his control. The form uses
the DELETE action targeting a REST URL. Through social engineering, the attacker tricks an
authenticated user into accessing the form and submitting it.

The browser sends the HTTP DELETE request to the REST gateway.
At REST gateway, the call is executed and user table is dropped

  was:
HADOOP-12691 introduced a filter in Hadoop Common to help REST APIs guard against cross-site
request forgery attacks.

This issue tracks the integration of that filter into HBase REST gateway.


> Integrate CSRF prevention filter to REST gateway
> ------------------------------------------------
>
>                 Key: HBASE-15187
>                 URL: https://issues.apache.org/jira/browse/HBASE-15187
>             Project: HBase
>          Issue Type: Bug
>            Reporter: Ted Yu
>            Assignee: Ted Yu
>         Attachments: HBASE-15187.v1.patch, HBASE-15187.v2.patch, HBASE-15187.v3.patch,
HBASE-15187.v4.patch, HBASE-15187.v5.patch, HBASE-15187.v6.patch, HBASE-15187.v7.patch, HBASE-15187.v8.patch
>
>
> HADOOP-12691 introduced a filter in Hadoop Common to help REST APIs guard against cross-site
request forgery attacks.
> This issue tracks the integration of that filter into HBase REST gateway.
> From REST section of refguide:
> To delete a table, use a DELETE request with the /schema endpoint:
> http://example.com:8000<table>/schema
> Suppose an attacker hosts a malicious web form on a domain under his control. The form
uses the DELETE action targeting a REST URL. Through social engineering, the attacker tricks
an authenticated user into accessing the form and submitting it.
> The browser sends the HTTP DELETE request to the REST gateway.
> At REST gateway, the call is executed and user table is dropped



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message