Hi All,
This is my 1st weekly reminder :)
As you may know CSRF attacks are very bad. TL;DR: They are hard to provoke but once you are able to create one, mostly using social engineering, they
can be "/devastating for both the business and user/".[1]
OFBiz is currently riddled with CSRF vulnerabilities, all not idempotent URLs[2] are susceptible to be attacked. James started an effort to fix them
with OFBIZ-11306 and I joined him.
Though, after almost 3 months of work, I'm pretty confident about our results, I have investigated how to validate our effort, with 3 mains
penetrations tools: Burp, Owasp Zap and Qualys.
I notably followed[3]. Since we have (normally) covered all cases (see
OFBIZ-11306 description), I did not find a way to penetrate using this method.
Moreover, I'm a developer not a penetration tester. And, for misc. reasons, I find quite painful to use those tools when it comes to CSRF, even if
it's well explained in[3].
I did not either find an easy way to automatically test all URLs for CSRF vulnerabilities. It seems to me that the most powerful tool is Qualys but so
far I have been unable to scan a localhost instance. I expect to work on that next week. If I can't get it working it would be nice to have a domain
where to put the changes and launch Qualys, and Zap that I have to test for the same also, against this domain.
Another aspect I'd be interested in are regressions. I don't think there should be any, but if you can apply the patch, or use my fork branch (see
OFBIZ-11425), and have a short tour it would be good.
[1]
https://www.imperva.com/learn/application-security/csrf-cross-site-request-forgery/
[2] this is security jargon :), and idempotent URL is one that does not change the state of the application. It's a bit more than safe URL:
http://restcookbook.com/HTTP%20Methods/idempotency/
[3]
https://portswigger.net/support/using-burp-to-test-for-cross-site-request-forgery
TIA
Jacques
Le 29/02/2020 à 11:01, Pierre Smits a écrit :
Thanks for the info, and the persistence to keep it in the attention span,
Jacques.
Met vriendelijke groet,
Pierre Smits
*Proud* *contributor** of* Apache OFBiz<https://ofbiz.apache.org/> since
2008 (without privileges)
*Apache Trafodion<https://trafodion.apache.org>, Vice President*
*Apache Directory<https://directory.apache.org>, PMC Member*
Apache Incubator<https://incubator.apache.org>, committer
Apache Steve<https://steve.apache.org>, committer
On Sat, Feb 29, 2020 at 10:28 AM Jacques Le Roux <
jacques.le.r...@les7arts.com> wrote:
For those interested, it's maybe easier to test to simply apply the last
patches (framework + plugins) at OFBIZ-11306
Also if I see nothing happening, I'll do a reminder every week...
Thanks
Jacques
Le 27/02/2020 à 17:28, Jacques Le Roux a écrit :
Forgot to say that w/ or w/o test I'll commit in 1 month...
Jacques
Le 27/02/2020 à 15:08, Jacques Le Roux a écrit :
Hi,
After working with James, who initiated the "POC for CSRF Token"
effort, onhttps://issues.apache.org/jira/browse/OFBIZ-11306
I have created OFBIZ-11425 to ask for all possible help to review and
test.
TIA
Jacques
