[jira] [Commented] (OFBIZ-11306) POC for CSRF Token

Mon, 06 Jan 2020 06:52:32 -0800 


    [ 
https://issues.apache.org/jira/browse/OFBIZ-11306?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17008922#comment-17008922
 ] 

Jacques Le Roux commented on OFBIZ-11306:
-----------------------------------------

Hi James, (this was supposed to be sent before ;))

bq. Also note that the html metadata is storing the csrf token used by JQuery 
AJAX. This token will not change to another value after it is consumed. 
Thanks, this clarifies things to me. I have to review more about CSRFGuard 3. 
As you may know, I used an older version few years ago, and things have much 
changed since it seems. Notably I want to read 
https://www.owasp.org/index.php/CSRFGuard_3_Configuration#Ajax_and_XMLHttpRequest_Support.
 I'm not sure you follow their recommendations, please explain/comment if 
needed, thanks.

bq. Csrf tokens for GET and POST requests are unique for each link and not 
stored in the html metadata.
That's better (ie safer) as long as back and forth browser buttons work.

bq. My question is whether it is correct to allow one web app to ajax call 
another web app?
Sorry, I need to review more before answering this question. It will take a bit 
of time...

> POC for CSRF Token
> ------------------
>
>                 Key: OFBIZ-11306
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-11306
>             Project: OFBiz
>          Issue Type: Improvement
>          Components: ALL APPLICATIONS
>    Affects Versions: Upcoming Branch
>            Reporter: James Yong
>            Assignee: Jacques Le Roux
>            Priority: Minor
>              Labels: CSRF
>             Fix For: Upcoming Branch
>
>         Attachments: OFBIZ-11306-v2.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch
>
>
> CRSF tokens are generated using CSRF Guard library and used in:
> 1) In widget form where a hidden token field is auto-generated.
> 2) In FTL form where a <@csrfTokenField> macro is used to generate the csrf 
> token field. 
> 3) In Ajax call where a <@csrfTokenAjax> macro is used to assign csrf token 
> to X-CSRF-Token in request header. 
> CSRF tokens are stored in the user sessions, and verified during POST request.
> A new attribute i.e. csrf-token is added to the security tag to exempt CSRF 
> token check.
> Certain request path, like LookupPartyName, can be exempt from CSRF token 
> check during Ajax POST call. 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to