ofbiz-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "James Yong (Jira)" <j...@apache.org>
Subject [jira] [Commented] (OFBIZ-11306) POC for CSRF Token
Date Sun, 12 Jan 2020 08:11:00 GMT

    [ https://issues.apache.org/jira/browse/OFBIZ-11306?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17013673#comment-17013673
] 

James Yong commented on OFBIZ-11306:
------------------------------------

Hi Jacques,

Agreed with the article on Disclosure of Token in URL.

+*_Explanation for tokens in navigation_*+

In OFBiz, there are forms that use the same uri for getting the form and posting the changes.

As it is possible for an attacker to submit form changes using GET method, the csrf token
check cannot be bypassed based on the request method used. 
This is the reason why token was invalidated each time it was used in a GET request.
However, to allow back forward browser actions to work, tokens aren't invalidated for GET
request as a compromise between usability and security.
IMO, a safer approach would be to 
1) explicitly set the method='get' in requestmap for requests that doesn't change state;
2) Look into the 3 proposed general rules mentioned earlier; and
3) invalidate tokens used in GET request.

The general rule as follows:
1) RequestMap configured with 'get' method will be exempted from CSRF token check.
2) RequestMap configured with 'post' or 'all' method will be subjected to CSRF token check.
3) Request uri starting "Lookup" or equals "main" is also exempted from CSRF token check.
Setting csrf-token to false or true on the Request Map will override the general rules above.

> POC for CSRF Token
> ------------------
>
>                 Key: OFBIZ-11306
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-11306
>             Project: OFBiz
>          Issue Type: Improvement
>          Components: ALL APPLICATIONS
>    Affects Versions: Upcoming Branch
>            Reporter: James Yong
>            Assignee: Jacques Le Roux
>            Priority: Minor
>              Labels: CSRF
>             Fix For: Upcoming Branch
>
>         Attachments: OFBIZ-11306-v2.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch,
OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch,
OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch,
OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch
>
>
> CRSF tokens are generated using CSRF Guard library and used in:
> 1) In widget form where a hidden token field is auto-generated.
> 2) In FTL form where a <@csrfTokenField> macro is used to generate the csrf token
field. 
> 3) In Ajax call where a <@csrfTokenAjax> macro is used to assign csrf token to
X-CSRF-Token in request header. 
> CSRF tokens are stored in the user sessions, and verified during POST request.
> A new attribute i.e. csrf-token is added to the security tag to exempt CSRF token check.
> Certain request path, like LookupPartyName, can be exempt from CSRF token check during
Ajax POST call. 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Mime
View raw message