[jira] [Comment Edited] (OFBIZ-11306) POC for CSRF Token

Mon, 09 Dec 2019 01:10:34 -0800 


    [ 
https://issues.apache.org/jira/browse/OFBIZ-11306?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16991242#comment-16991242
 ] 

Samuel Trégouët edited comment on OFBIZ-11306 at 12/9/19 9:09 AM:
------------------------------------------------------------------

Hi James,

thanks for your quick reply

q1: I can't see any detail on owasp.org page for token length and algorithm... 
and reference to java.sun.com SecureRandom page is broken… But if we only need 
to generate a random token maybe java standard library is enough

q2: I was talking about Set not List. Moreover as you suggest a Map with no 
more than 50 entries I think time difference between map lookup and list lookup 
will be really small. So we should not consider performance but only the 
easiest structure to work with.

another question

q3: why do you not consider get request ? an attacker can build an html form 
with `method="get"`


was (Author: stregouet):
Hi James,

thanks for your quick reply

q1: I can't see any detail on owasp.org page for token length and algorithm... 
and reference to java.sun.com SecureRandom page is broken…

q2: I was talking about Set not List. Moreover as you suggest a Map with no 
more than 50 entries I time think difference between map lookup and list lookup 
will be really small.

> POC for CSRF Token
> ------------------
>
>                 Key: OFBIZ-11306
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-11306
>             Project: OFBiz
>          Issue Type: Improvement
>          Components: ALL APPLICATIONS
>    Affects Versions: Upcoming Branch
>            Reporter: James Yong
>            Assignee: Jacques Le Roux
>            Priority: Minor
>              Labels: CSRF
>             Fix For: Upcoming Branch
>
>         Attachments: OFBIZ-11306.patch, OFBIZ-11306.patch
>
>
> CRSF tokens are generated using CSRF Guard library and used in:
> 1) In widget form where a hidden token field is auto-generated.
> 2) In FTL form where a <@csrfTokenField> macro is used to generate the csrf 
> token field. 
> 3) In Ajax call where a <@csrfTokenAjax> macro is used to assign csrf token 
> to X-CSRF-Token in request header. 
> CSRF tokens are stored in the user sessions, and verified during POST request.
> A new attribute i.e. csrf-token is added to the security tag to exempt CSRF 
> token check.
> Certain request path, like LookupPartyName, can be exempt from CSRF token 
> check during Ajax POST call. 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to