Re: CSRF attack and prevention

Mon, 03 Sep 2018 00:51:49 -0700 

Hi Girish,
Nicolas is right, I just want to say that I already tried to use the CsrfPreventionFilter Tomcat Filter (wrongly noted RestCsrfPreventionFilter in the link below) without success, please refer to 

https://markmail.org/message/r245yie623cdo3wz

Your help is welcome :)

Jacques


Le 02/09/2018 à 21:15, Nicolas Malin a écrit :

Hi Girish,

Thanks for your warm. If you want to detail your please prefer send an email to 
secur...@ofbiz.apache.org instead of open an issue to JIRA.

Nicolas


On 02/09/2018 17:36, girish.vasmat...@hotwaxsystems.com wrote:

Hi All


      It looks like there is no mechanism to prevent CSRF attack in ofbiz. If I am logged in to ofbiz instance on my local and create a sample 
standalone HTML page and try to submit to either a GET or a POST ofbiz URL, I am successfully through and various cookies (applicable to the 
domain) are also sent by the browser to Ofbiz instance. That essentially is CSRF. This can be reproduced with a script tag with a valid ofbiz URL 
as src and you can actually see in the developer console the request made through and response is received.


Of course this attack has a context - that the user is logged in and happens on 
the victim's browser.


I replaced ofbiz URL with gmail and made sure I am logged in to my gmail account. I saw a vague/obsure response from gmail in the console meaning 
it prevented itself.



  I feel we can handle it in multiple ways and one of the ways is adding SameSite cookie which is a fairly new concept and per latest information 
Chrome already supports it and FireFox has also added support for the same. Browsers supporting this Cookie will not send JSESSIONID or any other 
SameSite cookie to the request if the request is cross-site. Each cookie needs to be flagged with SameSite with possible values being strict or lax.

Here's its IETF draft - 
https://tools.ietf.org/html/draft-west-first-party-cookies-07


  I also think we should not rely on this as the sole prevention mechanism and should also do something on the server side in the sense that we 
should not rely on the browser support. Tomcat does support a filter - org.apache.catalina.filters.CsrfPreventionFilter that appends a nonce for 
every request and stores the same in session.


We should also add support for checking Origin and Referrer headers. I think 
there is a lot we can do.


I have not seen any reference in the current trunk code for both SameSite cookie and CsrfPreventionFilter filter. If we can make everyone on the 
same page on CSRF, I would like to propose we go ahead with this change. I think we will need to handle it in multiple ways.


I can create a JIRA with all details provided we have the necessary concord.


Thanks and Best regards,
Girish Vasmatkar
HotWax Systems




























					Reply via email to