Hi Team, Identified that *"issue 1"* occurred because TryIt does not load the "csrfPrevention.js" JavaScript, which is responsible of injecting CSRF token values into request. This is because TryIt application does not have the usual carbon template applied.
[1] should fix the issue. I have verified this by modifying HTML content using BurpSuite. However, I was unable to test same with DSS because I cannot find "org.wso2.carbon.wsdl2form-4.5.3.jar" in any of the library/plugins folders, even though it is available in "./repository/components/default/configuration/org.eclipse.osgi/bundles/" folder after server start. I didn't create the PR since, I could not test it locally. Any advice on this? Also, do we have any other applications such as "TryIt" that does not have the usual carbon template applied, but uses resources available within "/carbon" context (ex : /carbon/admin/jsp/WSRequestXSSproxy_ ajaxprocessor.jsp). [1] https://github.com/wso2/carbon-commons/compare/4.4.x...ayomawdb:4.4.x Regards, Ayoma. On Tue, Jun 21, 2016 at 5:38 PM, Manuri Amaya Perera <manu...@wso2.com> wrote: > Hi, > > I have added content type in tryit.xslt and sent a PR[1]. This resolved > issue 2. > > > [1] https://wso2.org/jira/browse/CCOMMONS-16 > > On Tue, Jun 21, 2016 at 4:01 PM, Manuri Amaya Perera <manu...@wso2.com> > wrote: > >> Hi Ayoma, >> >> I think setting the content-type can be done in [1]. >> >> But this issue should occur for other products as well right? >> >> [1] >> https://github.com/wso2/carbon-commons/blob/master/components/wsdl2form/org.wso2.carbon.wsdl2form/src/main/java/org/wso2/carbon/wsdl2form/WSDL2FormRequestProcessor.java >> >> Thanks, >> Manuri >> >> On Tue, Jun 21, 2016 at 3:55 PM, Ayoma Wijethunga <ay...@wso2.com> wrote: >> >>> Hi Team, >>> >>> As Manuri mentioned, "issue 2" occurs because we are serving a >>> JavaScript as the response for service call [1] with the content-type >>> "text/html". This should be corrected to "application/javascript". >>> >>> Is there any possibility for us to send the "content-type" header in the >>> response, based on the extension of the resource being loaded? This is the >>> correct way forward. >>> >>> Issue is relevant to "X-Content-Type-Options:nosniff" header Tomcat >>> filter is setting to prevent "MIME Sniffing" attacks. Also this is separate >>> form CSRFGuard. >>> >>> [1] >>> http://10.100.7.67:9783/services/echo?wsdl2form&resource=editarea/edit_area_full.js >>> [2] http://www.slideshare.net/RonanDunne1/mime-sniffing-17014318 >>> >>> Regards, >>> Ayoma. >>> >>> On Tue, Jun 21, 2016 at 3:41 PM, Manuri Amaya Perera <manu...@wso2.com> >>> wrote: >>> >>>> >>>> >>>> On Tue, Jun 21, 2016 at 3:26 PM, KasunG Gajasinghe <kas...@wso2.com> >>>> wrote: >>>> >>>>> >>>>> >>>>> On Tue, Jun 21, 2016 at 2:37 PM, Manuri Amaya Perera <manu...@wso2.com >>>>> > wrote: >>>>> >>>>>> Hi all, >>>>>> >>>>>> Please find the comments inline. >>>>>> >>>>>> On Tue, Jun 21, 2016 at 9:48 AM, Anupama Pathirage <anup...@wso2.com> >>>>>> wrote: >>>>>> >>>>>>> Hi, >>>>>>> >>>>>>> When we build the product DSS [1] with the latest Kernel Release >>>>>>> (4.4.6), we have observed following issues in "Try it" page. Appreciate >>>>>>> any clue on this to get them resolved. >>>>>>> >>>>>>> *1) *In Https mode, Try it requests gives following error on send >>>>>>> [2][3]. >>>>>>> >>>>>>> WARN {org.owasp.csrfguard.log.JavaLogger} - potential cross-site >>>>>>> request forgery (CSRF) attack thwarted (user:<anonymous>, >>>>>>> ip:10.100.7.118, >>>>>>> method:POST, uri:/carbon/admin/jsp/WSRequestXSSproxy_ajaxprocessor.jsp, >>>>>>> error:required token is missing from the request) >>>>>>> >>>>>>> Private proxy protocol will be attempted as cross-domain browser >>>>>>> restrictions might be enforced for this endpoint. >>>>>>> >>>>>>> <TryitClient xmlns="http://tryit.carbon.wso2.org";> >>>>>>> <Reason>Error connecting to the Tryit ajax proxy</Reason> >>>>>>> </TryitClient> >>>>>>> >>>>>>> *2)* Try it page does not load properly in Chrome. It loads >>>>>>> correctly in Firefox. It gives the following error on chrome [4]. >>>>>>> >>>>>>> Refused to execute script from ' >>>>>>> https://localhost:9443/services/echo?wsdl2form&resource=editarea/edit_area_full.js' >>>>>>> <https://www.google.com/url?q=https%3A%2F%2Flocalhost%3A9443%2Fservices%2Fecho%3Fwsdl2form%26resource%3Deditarea%2Fedit_area_full.js%27&sa=D&sntz=1&usg=AFQjCNGL0XVRd6yRXPkx_0JirC6kv1p-4A> >>>>>>> because its MIME type ('text/html') is not executable, and strict MIME >>>>>>> type >>>>>>> checking is enabled. >>>>>>> Uncaught ReferenceError: editAreaLoader is not defined. >>>>>>> >>>>>> >>>>>> When downgrading DSS's kernel version to 4.4.5 this issue doesn't >>>>>> occur. When comparing the response to the request >>>>>> >>>>>> http://10.100.7.67:9783/services/echo?wsdl2form&resource=editarea/edit_area_full.js >>>>>> in DSS with kernel 4.4.5 and kernel 4.4.6 it seems some additional >>>>>> headers are present in the latter. They were, >>>>>> >>>>>> 1. X-Content-Type-Options: >>>>>> nosniff >>>>>> 2. X-Frame-Options: >>>>>> DENY >>>>>> 3. X-XSS-Protection: >>>>>> 1; mode=block >>>>>> >>>>>> Here the X-Content-Type-Options header is to make sure the browser >>>>>> does not try to detect a different Content-Type than what is actually >>>>>> sent[1]. >>>>>> >>>>> >>>>> What is the Content-Type (or rather Accept) header sent by the browser? >>>>> >>>> Accept header is */* >>>> >>>> >>>>> >>>>> >>>>>> Here the content type of the response is >>>>>> text/html >>>>>> . >>>>>> Therefore this error occurs for edit_area_full.js file. And it seems >>>>>> firefox(at least the version we tested with) is not supporting this >>>>>> header >>>>>> but chrome does[2], which should be the reason why we don't get this >>>>>> error >>>>>> in firefox. >>>>>> >>>>>> Anyway we built with kernel 4.4.6 and checked this in BPS and it >>>>>> seems those additional headers are not present in the response. >>>>>> >>>>> >>>>> If the configurations and the tryit version are the same, then both >>>>> these products should behave in a similar manner. >>>>> >>>> Try it versions are equal. And the >>>> two Owasp.CsrfGuard.Carbon.properties files are identical. >>>> >>>> >>>>> >>>>> >>>>>> >>>>>> >>>>>> [1] https://github.com/wso2/product-dss/ >>>>>>> [2] https://drive.google.com/open?id=0B16LG8jdYeP8ZEpyV1F5cmRsTDA >>>>>>> [3] https://drive.google.com/open?id=0B16LG8jdYeP8LWF2elVTbzFQOWs >>>>>>> [4] https://drive.google.com/open?id=0B16LG8jdYeP8VmtlWXEtdmRJUjQ >>>>>>> >>>>>>> Regards, >>>>>>> -- >>>>>>> Anupama Pathirage >>>>>>> Associate Technical Lead >>>>>>> WSO2, Inc. http://wso2.com/ >>>>>>> Email: anup...@wso2.com >>>>>>> Mobile:+94 71 8273 979 >>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>>> [1] https://www.owasp.org/index.php/REST_Security_Cheat_Sheet >>>>>> [2] >>>>>> http://stackoverflow.com/questions/18337630/what-is-x-content-type-options-nosniff >>>>>> >>>>>> Thanks, >>>>>> Manuri >>>>>> >>>>>> -- >>>>>> >>>>>> *Manuri Amaya Perera* >>>>>> >>>>>> *Software Engineer* >>>>>> >>>>>> *WSO2 Inc.* >>>>>> >>>>>> *Blog: http://manuriamayaperera.blogspot.com >>>>>> <http://manuriamayaperera.blogspot.com>* >>>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> >>>>> *Kasun Gajasinghe*Associate Technical Lead, WSO2 Inc. >>>>> email: kasung AT spamfree wso2.com >>>>> linked-in: http://lk.linkedin.com/in/gajasinghe >>>>> blog: http://kasunbg.org >>>>> >>>>> >>>>> >>>> >>>> >>>> >>>> -- >>>> >>>> *Manuri Amaya Perera* >>>> >>>> *Software Engineer* >>>> >>>> *WSO2 Inc.* >>>> >>>> *Blog: http://manuriamayaperera.blogspot.com >>>> <http://manuriamayaperera.blogspot.com>* >>>> >>> >>> >>> >>> -- >>> Ayoma Wijethunga >>> Software Engineer >>> Platform Security Team >>> WSO2, Inc.; http://wso2.com >>> lean.enterprise.middleware >>> >>> Mobile : +94 (0) 719428123 <+94+(0)+719428123> >>> Blog : http://www.ayomaonline.com >>> LinkedIn: https://www.linkedin.com/in/ayoma >>> >> >> >> >> -- >> >> *Manuri Amaya Perera* >> >> *Software Engineer* >> >> *WSO2 Inc.* >> >> *Blog: http://manuriamayaperera.blogspot.com >> <http://manuriamayaperera.blogspot.com>* >> > > > > -- > > *Manuri Amaya Perera* > > *Software Engineer* > > *WSO2 Inc.* > > *Blog: http://manuriamayaperera.blogspot.com > <http://manuriamayaperera.blogspot.com>* > -- Ayoma Wijethunga Software Engineer Platform Security Team WSO2, Inc.; http://wso2.com lean.enterprise.middleware Mobile : +94 (0) 719428123 <+94+(0)+719428123> Blog : http://www.ayomaonline.com LinkedIn: https://www.linkedin.com/in/ayoma
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
