Re: [TEST] Test "POC for CSRF Token"

Hi, We actually had 2 problems to solve: 1. 8 tests don't pass on trunk. 2. Backport, the merge "worked" but we (at least) miss in RequestHandler.java the not backported WIP on REST with notably these missing methods: * RequestHandler::resolveURI (OFBIZ-10438) *

Re: [TEST] Test "POC for CSRF Token"

Hi James, The backports in R18 and R17 went well but for RequestHandler.java We will need to do the merge by hand. I'll begin and let you know Later... Jacques Le 04/04/2020 à 19:19, Jacques Le Roux a écrit : Hi James, All, Done, the CSRF defense is in trunk and I'll backport it ASAP (it

Re: [TEST] Test "POC for CSRF Token"

Hi James, All, Done, the CSRF defense is in trunk and I'll backport it ASAP (it has a CVE). But I need to check that's all is OK before. There are more things to do anyway... Jacques Le 04/04/2020 à 17:48, James Yong a écrit : Hi Jacques, Can look at JWT enhancement later. +1 for commit.

Re: [TEST] Test "POC for CSRF Token"

Hi Jacques, Can look at JWT enhancement later. +1 for commit. Regards, James On 2020/04/04 13:10:18, Jacques Le Roux wrote: > Hi James, > > 1. I like the idea. Maybe we could create the class but let the > implementation (with explanations) for those who really need it? > 2. I did not

Re: [TEST] Test "POC for CSRF Token"

Hi James, 1. I like the idea. Maybe we could create the class but let the implementation (with explanations) for those who really need it? 2. I did not mean there was a correlation between csrf-token check and auth check. My main idea is to avoid hardcoded things like     if

Re: [TEST] Test "POC for CSRF Token"

Hi Jacques, For 1, seems like a ICsrfDefenseStrategy class implementation issue. We can use another Jira for the enhancement / discussion when this JIRA (OFBIZ-11306) is completed. For 2, csrf-token check is independent of auth check, and the current implementation should work as it is. So

Re: [TEST] Test "POC for CSRF Token"

Hi Girish, Thanks for asking! I have read in several up to date places that it's better to have both. Notably when you use the lax option that I have left users to choice to, because this might be needed in some cases. So the CSRF token defense offers a second fence. OWASP clearly explains

Re: [TEST] Test "POC for CSRF Token"

Hi Jacques I second your points. However, I have the following question - Since you have explored and followed OWASP very extensively, do you think with the introduction of same-site attribute, the whole concept of CSRF token becomes somewhat redundant, provided almost every browser has the

Re: [TEST] Test "POC for CSRF Token"

Hi, Of course, I have my own opinion. Here are my answers to these questions. 1. By default in OFBiz the session timeout is 1 hour. After that, OFBiz generates a new CSRF token before you sign in. I think for OFBiz applications it's enough security. Of course we could have more fancy

Re: [TEST] Test "POC for CSRF Token"

Hi All, Before I create a PR as a last opportunity to allow reviews and tests, I'd like to ask 2 last questions: 1. should we not use a JWT rather than a (pseudo) random value for the CSRF token, this for timeout reason? Don't get me wrong I'm sure that the random values generated by

Re: [TEST] Test "POC for CSRF Token"

+1 with CSRF defense enabled in Demo > Hi, > > I thought about that a bit more. I suggest to let the stable version (soon, > R17) as is, ie with  CSRF defense enabled. This way users, mostly > interested in stable, would  see the real situation. > > And to use the NoCsrfDefenseStrategy in

Re: [TEST] Test "POC for CSRF Token"

Le 20/03/2020 à 08:44, Jacques Le Roux a écrit : If we do so, I have a question. With NoCsrfDefenseStrategy we have the possibility to bypass the CSRF defense. It's convenient for development, because else, in this mode, the CSRF defense is quite intrusive. * I propose to use it also in demo

Re: [TEST] Test "POC for CSRF Token"

Michael, OK, I can wait 5 days more :) So it will be more for the next weekend Jacques Le 20/03/2020 à 09:44, Michael Brohl a écrit : Jacques, you announced a month, please stay with that or even think about expaning the test period. This is not a trivial case and with the current global

Re: [TEST] Test "POC for CSRF Token"

Jacques, you announced a month, please stay with that or even think about expaning the test period. This is not a trivial case and with the current global situation, a lot of people will have more urgent problems to solve at the moment. Thanks, Michael Am 20.03.20 um 08:44 schrieb

Re: [TEST] Test "POC for CSRF Token"

Hi, I initially said I'd wait a month, it will be 24 days next Monday and I don't expect much more activity now. So, if nobody disagree, this weekend, I'll commit both the CSRF defense and another vulnerability fix pending. This will allow to release 17.12.02 with our 1+ years backlog of

Re: [TEST] Test "POC for CSRF Token"

Hi All, If you are interested to test, manually or with the tool of you choice, you can do so at https://168.63.29.103:8443/webtools. This is thank to Ross Gardler and Microsoft for providing an Azure  Ubuntu 18.04.4 LTS  VM where I installed OFBiz trunk patched for CSRF. Please break it :)

Re: [TEST] Test "POC for CSRF Token"

Hi Girish, I just had a look with Zap.  As a note: Zap reports missing CSRF tokens in forms when there are actually present in the URL. This is explained by the point 3 of OFBIZ-11306 description (Freemarker handling). Jacques Le 09/03/2020 à 10:57, Girish Vasmatkar a écrit : Hi Jacques I

Re: [TEST] Test "POC for CSRF Token"

Hi Jacques I tried to simulate the CSRF manually (and I plan to use Zap as well) and I got this error - Invalid or missing CSRF token to path '/EntitySQLProcessor' I logged in to OFBiz and then used an HTML form to perform the attack and the patch successfully prevented. So it looks good to

Re: [TEST] Test "POC for CSRF Token"

Hi All, This is my 1st weekly reminder :) As you may know CSRF attacks are very bad. TL;DR: They are hard to provoke but once you are able to create one, mostly using social engineering, they can be "/devastating for both the business and user/".[1] OFBiz is currently riddled with CSRF

Re: [TEST] Test "POC for CSRF Token"

Thanks for the info, and the persistence to keep it in the attention span, Jacques. Met vriendelijke groet, Pierre Smits *Proud* *contributor** of* Apache OFBiz since 2008 (without privileges) *Apache Trafodion , Vice President* *Apache

Re: [TEST] Test "POC for CSRF Token"

For those interested, it's maybe easier to test to simply apply the last patches (framework + plugins) at OFBIZ-11306 Also if I see nothing happening, I'll do a reminder every week... Thanks Jacques Le 27/02/2020 à 17:28, Jacques Le Roux a écrit : Forgot to say that w/ or w/o test I'll

Re: [TEST] Test "POC for CSRF Token"

Forgot to say that w/ or w/o test I'll commit in 1 month... Jacques Le 27/02/2020 à 15:08, Jacques Le Roux a écrit : Hi, After working with James, who initiated the "POC for CSRF Token" effort, on https://issues.apache.org/jira/browse/OFBIZ-11306 I have created OFBIZ-11425 to ask for all

[TEST] Test "POC for CSRF Token"

Hi, After working with James, who initiated the "POC for CSRF Token" effort, on https://issues.apache.org/jira/browse/OFBIZ-11306 I have created OFBIZ-11425 to ask for all possible help to review and test. TIA Jacques