ofbiz-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From girish.vasmatkar@hotwaxsystems.com <girish.vasmat...@hotwaxsystems.com>
Subject CSRF attack and prevention
Date Sun, 02 Sep 2018 15:36:35 GMT
Hi All

     It looks like there is no mechanism to prevent CSRF attack in ofbiz. If I am logged in
to ofbiz instance on my local and create a sample standalone HTML page and try to submit to
either a GET or a POST ofbiz URL, I am successfully through and various cookies (applicable
to the domain) are also sent by the browser to Ofbiz instance. That essentially is CSRF. This
can be reproduced with a script tag with a valid ofbiz URL as src and you can actually see
in the developer console the request made through and response is received.

Of course this attack has a context - that the user is logged in and happens on the victim's
browser. 

I replaced ofbiz URL with gmail and made sure I am logged in to my gmail account. I saw a
vague/obsure response from gmail in the console meaning it prevented itself.

 I feel we can handle it in multiple ways and one of the ways is adding SameSite cookie which
is a fairly new concept and per latest information Chrome already supports it and FireFox
has also added support for the same. Browsers supporting this Cookie will not send JSESSIONID
or any other SameSite cookie to the request if the request is cross-site. Each cookie needs
to be flagged with SameSite with possible values being strict or lax. 
Here's its IETF draft - https://tools.ietf.org/html/draft-west-first-party-cookies-07

 I also think we should not rely on this as the sole prevention mechanism and should also
do something on the server side in the sense that we should not rely on the browser support.
Tomcat does support a filter - org.apache.catalina.filters.CsrfPreventionFilter that appends
a nonce for every request and stores the same in session.

We should also add support for checking Origin and Referrer headers. I think there is a lot
we can do.

I have not seen any reference in the current trunk code for both SameSite cookie and CsrfPreventionFilter
filter. If we can make everyone on the same page on CSRF, I would like to propose we go ahead
with this change. I think we will need to handle it in multiple ways.

I can create a JIRA with all details provided we have the necessary concord.


Thanks and Best regards,
Girish Vasmatkar
HotWax Systems

Mime
View raw message