Hi Jacques

I tried to simulate the CSRF manually (and I plan to use Zap as well) and I
got this error -

Invalid or missing CSRF token to path '/EntitySQLProcessor'

I logged in to OFBiz and then used an HTML form to perform the attack and
the patch successfully prevented.

So it looks good to me. I will let you know how it goes with ZAP.

Best,
Girish






On Sat, Mar 7, 2020 at 3:30 PM Jacques Le Roux <jacques.le.r...@les7arts.com>
wrote:

> Hi All,
>
> This is my 1st weekly reminder :)
>
> As you may know CSRF attacks are very bad. TL;DR: They are hard to provoke
> but once you are able to create one, mostly using social engineering, they
> can be "/devastating for both the business and user/".[1]
>
> OFBiz is currently riddled with CSRF vulnerabilities, all not idempotent
> URLs[2] are susceptible to be attacked. James started an effort to fix them
> with OFBIZ-11306 and I joined him.
>
> Though, after almost 3 months of work, I'm pretty confident about our
> results, I have investigated how to validate our effort, with 3 mains
> penetrations tools: Burp, Owasp Zap and Qualys.
>
> I notably followed[3]. Since we have (normally) covered all cases (see
> OFBIZ-11306 description), I did not find a way to penetrate using this
> method.
>
> Moreover, I'm a developer not a penetration tester. And, for misc.
> reasons, I find quite painful to use those tools when it comes to CSRF,
> even if
> it's well explained in[3].
>
> I did not either find an easy way to automatically test all URLs for CSRF
> vulnerabilities. It seems to me that the most powerful tool is Qualys but
> so
> far I have been unable to scan a localhost instance. I expect to work on
> that next week. If I can't get it working it would be nice to have a domain
> where to put the changes and launch Qualys, and Zap that I have to test
> for the same also, against this domain.
>
> Another aspect I'd be interested in are regressions. I don't think there
> should be any, but if you can apply the patch, or use my fork branch (see
> OFBIZ-11425), and have a short tour it would be good.
>
> [1]
> https://www.imperva.com/learn/application-security/csrf-cross-site-request-forgery/
> [2] this is security jargon :), and idempotent URL is one that does not
> change the state of the application. It's a bit more than safe URL:
> http://restcookbook.com/HTTP%20Methods/idempotency/
> [3]
> https://portswigger.net/support/using-burp-to-test-for-cross-site-request-forgery
>
> TIA
>
> Jacques
>
> Le 29/02/2020 à 11:01, Pierre Smits a écrit :
> > Thanks for the info, and the persistence to keep it in the attention
> span,
> > Jacques.
> >
> > Met vriendelijke groet,
> >
> > Pierre Smits
> > *Proud* *contributor** of* Apache OFBiz<https://ofbiz.apache.org/>
> since
> > 2008 (without privileges)
> >
> > *Apache Trafodion<https://trafodion.apache.org>, Vice President*
> > *Apache Directory<https://directory.apache.org>, PMC Member*
> > Apache Incubator<https://incubator.apache.org>, committer
> > Apache Steve<https://steve.apache.org>, committer
> >
> >
> > On Sat, Feb 29, 2020 at 10:28 AM Jacques Le Roux <
> > jacques.le.r...@les7arts.com> wrote:
> >
> >> For those interested, it's maybe easier to test to simply apply the last
> >> patches (framework + plugins) at OFBIZ-11306
> >>
> >> Also if I see nothing happening, I'll do a reminder every week...
> >>
> >> Thanks
> >>
> >> Jacques
> >>
> >> Le 27/02/2020 à 17:28, Jacques Le Roux a écrit :
> >>> Forgot to say that w/ or w/o test I'll commit in 1 month...
> >>>
> >>> Jacques
> >>>
> >>> Le 27/02/2020 à 15:08, Jacques Le Roux a écrit :
> >>>> Hi,
> >>>>
> >>>> After working with James, who initiated the "POC for CSRF Token"
> >> effort, onhttps://issues.apache.org/jira/browse/OFBIZ-11306
> >>>> I have created OFBIZ-11425 to ask for all possible help to review and
> >> test.
> >>>> TIA
> >>>>
> >>>> Jacques
> >>>>
>

Reply via email to