[jira] [Commented] (OFBIZ-11306) POC for CSRF Token

[James Yong (Jira)]

    [ 
https://issues.apache.org/jira/browse/OFBIZ-11306?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17013673#comment-17013673
 ] 

James Yong commented on OFBIZ-11306:
------------------------------------

Hi Jacques,

Agreed with the article on Disclosure of Token in URL.

+*_Explanation for tokens in navigation_*+

In OFBiz, there are forms that use the same uri for getting the form and 
posting the changes. 
As it is possible for an attacker to submit form changes using GET method, the 
csrf token check cannot be bypassed based on the request method used. 
This is the reason why token was invalidated each time it was used in a GET 
request.
However, to allow back forward browser actions to work, tokens aren't 
invalidated for GET request as a compromise between usability and security.
IMO, a safer approach would be to 
1) explicitly set the method='get' in requestmap for requests that doesn't 
change state;
2) Look into the 3 proposed general rules mentioned earlier; and
3) invalidate tokens used in GET request.

The general rule as follows:
1) RequestMap configured with 'get' method will be exempted from CSRF token 
check.
2) RequestMap configured with 'post' or 'all' method will be subjected to CSRF 
token check.
3) Request uri starting "Lookup" or equals "main" is also exempted from CSRF 
token check.
Setting csrf-token to false or true on the Request Map will override the 
general rules above.

> POC for CSRF Token
> ------------------
>
>                 Key: OFBIZ-11306
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-11306
>             Project: OFBiz
>          Issue Type: Improvement
>          Components: ALL APPLICATIONS
>    Affects Versions: Upcoming Branch
>            Reporter: James Yong
>            Assignee: Jacques Le Roux
>            Priority: Minor
>              Labels: CSRF
>             Fix For: Upcoming Branch
>
>         Attachments: OFBIZ-11306-v2.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306_Plugins.patch, 
> OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch, 
> OFBIZ-11306_Plugins.patch
>
>
> CRSF tokens are generated using CSRF Guard library and used in:
> 1) In widget form where a hidden token field is auto-generated.
> 2) In FTL form where a <@csrfTokenField> macro is used to generate the csrf 
> token field. 
> 3) In Ajax call where a <@csrfTokenAjax> macro is used to assign csrf token 
> to X-CSRF-Token in request header. 
> CSRF tokens are stored in the user sessions, and verified during POST request.
> A new attribute i.e. csrf-token is added to the security tag to exempt CSRF 
> token check.
> Certain request path, like LookupPartyName, can be exempt from CSRF token 
> check during Ajax POST call. 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)