Hi Jacques I tried to simulate the CSRF manually (and I plan to use Zap as well) and I got this error -
Invalid or missing CSRF token to path '/EntitySQLProcessor' I logged in to OFBiz and then used an HTML form to perform the attack and the patch successfully prevented. So it looks good to me. I will let you know how it goes with ZAP. Best, Girish On Sat, Mar 7, 2020 at 3:30 PM Jacques Le Roux <jacques.le.r...@les7arts.com> wrote: > Hi All, > > This is my 1st weekly reminder :) > > As you may know CSRF attacks are very bad. TL;DR: They are hard to provoke > but once you are able to create one, mostly using social engineering, they > can be "/devastating for both the business and user/".[1] > > OFBiz is currently riddled with CSRF vulnerabilities, all not idempotent > URLs[2] are susceptible to be attacked. James started an effort to fix them > with OFBIZ-11306 and I joined him. > > Though, after almost 3 months of work, I'm pretty confident about our > results, I have investigated how to validate our effort, with 3 mains > penetrations tools: Burp, Owasp Zap and Qualys. > > I notably followed[3]. Since we have (normally) covered all cases (see > OFBIZ-11306 description), I did not find a way to penetrate using this > method. > > Moreover, I'm a developer not a penetration tester. And, for misc. > reasons, I find quite painful to use those tools when it comes to CSRF, > even if > it's well explained in[3]. > > I did not either find an easy way to automatically test all URLs for CSRF > vulnerabilities. It seems to me that the most powerful tool is Qualys but > so > far I have been unable to scan a localhost instance. I expect to work on > that next week. If I can't get it working it would be nice to have a domain > where to put the changes and launch Qualys, and Zap that I have to test > for the same also, against this domain. > > Another aspect I'd be interested in are regressions. I don't think there > should be any, but if you can apply the patch, or use my fork branch (see > OFBIZ-11425), and have a short tour it would be good. > > [1] > https://www.imperva.com/learn/application-security/csrf-cross-site-request-forgery/ > [2] this is security jargon :), and idempotent URL is one that does not > change the state of the application. It's a bit more than safe URL: > http://restcookbook.com/HTTP%20Methods/idempotency/ > [3] > https://portswigger.net/support/using-burp-to-test-for-cross-site-request-forgery > > TIA > > Jacques > > Le 29/02/2020 à 11:01, Pierre Smits a écrit : > > Thanks for the info, and the persistence to keep it in the attention > span, > > Jacques. > > > > Met vriendelijke groet, > > > > Pierre Smits > > *Proud* *contributor** of* Apache OFBiz<https://ofbiz.apache.org/> > since > > 2008 (without privileges) > > > > *Apache Trafodion<https://trafodion.apache.org>, Vice President* > > *Apache Directory<https://directory.apache.org>, PMC Member* > > Apache Incubator<https://incubator.apache.org>, committer > > Apache Steve<https://steve.apache.org>, committer > > > > > > On Sat, Feb 29, 2020 at 10:28 AM Jacques Le Roux < > > jacques.le.r...@les7arts.com> wrote: > > > >> For those interested, it's maybe easier to test to simply apply the last > >> patches (framework + plugins) at OFBIZ-11306 > >> > >> Also if I see nothing happening, I'll do a reminder every week... > >> > >> Thanks > >> > >> Jacques > >> > >> Le 27/02/2020 à 17:28, Jacques Le Roux a écrit : > >>> Forgot to say that w/ or w/o test I'll commit in 1 month... > >>> > >>> Jacques > >>> > >>> Le 27/02/2020 à 15:08, Jacques Le Roux a écrit : > >>>> Hi, > >>>> > >>>> After working with James, who initiated the "POC for CSRF Token" > >> effort, onhttps://issues.apache.org/jira/browse/OFBIZ-11306 > >>>> I have created OFBIZ-11425 to ask for all possible help to review and > >> test. > >>>> TIA > >>>> > >>>> Jacques > >>>> >
