--
You received this message because you are subscribed to the Google Groups "GWTP" group.
To unsubscribe from this group and stop receiving emails from it, send an email to gwt-platform...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Hi Clay,Thank you so much for your response! You said something interesting: CSRF protection doesn't rely on its own cookie. It's very possible we've got it setup wrong.Here's a screenshot of the cookies in our app:I should also mention we're using GWTP 0.7, but I've looked at the latest code and it looks the same as the version we're using. The cookie gets created with a value matching the session ID.Is there a way to not use this cookie and still get the CSRF protection? Or to change the value so it's not the JSESSIONID?Thanks again Clay.- Brad
Our implementation did not produce a separate cookie, so you may be implementing it differently. I couldn't really tell you how that's working, though having the same value (unless you're manually comparing before and after) is key, as that's what validates the session.But that's not the key area to look. You should look under the Request Headers tab, and see if there's a request header similar to "com.google.gwt.user.client.rpc.XsrfToken". That's the important part, as it is what an attacker cannot spoof.Also, keep in mind that your emails go to the whole group - so you may want to redact domains / identifying URL information when posting images, as it will be out there for the world to see
On Wed, Apr 30, 2014 at 8:47 AM, Brad Cupit <brad....@riptidesoftware.com> wrote:
Hi Clay,Thank you so much for your response! You said something interesting: CSRF protection doesn't rely on its own cookie. It's very possible we've got it setup wrong.Here's a screenshot of the cookies in our app:
I should also mention we're using GWTP 0.7, but I've looked at the latest code and it looks the same as the version we're using. The cookie gets created with a value matching the session ID.Is there a way to not use this cookie and still get the CSRF protection? Or to change the value so it's not the JSESSIONID?Thanks again Clay.- Brad
On Wednesday, April 30, 2014 8:34:25 AM UTC-4, Clay Harris wrote:That depends in part on your implementation, but CSRF does not rely on its own cookie, it adds a header to the request. Then the cookie and the header (which is hashed) are compared. Cookies alone could be spoofed, you're right, but that's why there's a header as well. http://www.gwtproject.org/articles/security_for_gwt_applications.html#xsrfSo based on that, I don't think it's a real concern. Watch your request headers using devtools, and see if they have an xsrf value to confirmOn Wed, Apr 30, 2014 at 8:26 AM, Brad Cupit <brad....@riptidesoftware.com> wrote:Hi,I have a minor security concern with GWTP's CSRF protection: the cookie has the same value as the JSESSIONID.In our GWTP app we'll mark our real JSESSIONID as both secure and HttpOnly. This way the it can't be sniffed, and XSS attacks won't be able to read it and hijack the session.
Then I noticed the GWTP CSRF cookie is not secure, not HttpOnly, and uses the same session ID. So an attacker could just read the GWTP cookie instead.From what I've seen GWT's CSRF protection uses a hash instead of the session ID (which sounds great!)Am I the first to come across this, or maybe I'm missing something obvious?Thanks in advance!--To unsubscribe from this group and stop receiving emails from it, send an email to gwt-platform...@googlegroups.com.
You received this message because you are subscribed to the Google Groups "GWTP" group.
Any updates on this?