CSRF filter and no link sharing
30 views
Skip to first unread message
Geoffrey Dudragne
May 8, 2015, 5:39:47 PM5/8/15
to thre...@googlegroups.com
Hi everybody,
Sometimes I find the user experience deteriorated by the CSRF filter in its current state. It especially prevents from sharing a link of a specific vulnerability page or accessing that page directly, which would be convenient for obvious reasons.
When I take a look at the OWASP entry, it specifies: "CSRF attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request."
So I don't understand why Threadfix is currently checking for the nonce on all the non state-changing GET requests (other than a few root and resources urls). Is there another reason why you are currently doing it this way?
Thanks.
Geoffrey
Sometimes I find the user experience deteriorated by the CSRF filter in its current state. It especially prevents from sharing a link of a specific vulnerability page or accessing that page directly, which would be convenient for obvious reasons.
When I take a look at the OWASP entry, it specifies: "CSRF attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request."
So I don't understand why Threadfix is currently checking for the nonce on all the non state-changing GET requests (other than a few root and resources urls). Is there another reason why you are currently doing it this way?
Thanks.
Geoffrey
Dan Cornell
May 8, 2015, 5:45:53 PM5/8/15
to thre...@googlegroups.com, geoffrey...@gmail.com
There is a pretty extensive list of URLs and URL patterns that explicitly do not require the CSRF nonce check, but we have to specifically call them on in the CSRF filter configuration. It is likely that we may have missed some.
You can see the configuration in the web.xml here:
Are there particular URLs/functions you have had problems with?
Thanks,
Dan
Geoffrey Dudragne
May 8, 2015, 6:05:41 PM5/8/15
to thre...@googlegroups.com, geoffrey...@gmail.com
Hi Dan,
That's my point, most of the urls (including many non state-changing GET requests) are flagged "protected-regex", so require a nonce to be accessed.
For example if I want to access the page of a specific vulnerability directly or share it with someone: "/threadfix/organizations/1/applications/2/vulnerabilities/1266". This will be filtered by the CSRF protection, though not being a target for CSRF.
Geoffrey
That's my point, most of the urls (including many non state-changing GET requests) are flagged "protected-regex", so require a nonce to be accessed.
For example if I want to access the page of a specific vulnerability directly or share it with someone: "/threadfix/organizations/1/applications/2/vulnerabilities/1266". This will be filtered by the CSRF protection, though not being a target for CSRF.
Geoffrey
Reply all
Reply to author
Forward
0 new messages