csrf token needed to log in to get json
242 views
Skip to first unread message
Carl Karsten
Jul 6, 2013, 12:59:45 PM7/6/13
to pinax-s...@googlegroups.com
Taavi and anyone who feels good about csrf foo,
If I use my browser and fingers to browse to
https://2013.pycon.ca/en/account/login/ and log in,
then browse to https://2013.pycon.ca/en/schedule/conference.json, I
get email addresses. good.
Trying to write python code to do that is giving me a problem logging
in - guessing it is because the login form has a csrf token, and my
python code does not.
I want to do this right, but I am not sure what right is. I don't want
to relax security.
I know a little about csrf, but not enough to know if what I am
suggesting is relaxing security.
I have two thoughts:
1. my code needs to get the token, just like my browser did.
1a. I could write code to get the html, parse and find the token. yuck.
1b. you could give me an api that gives me a token that can be used to log in.
like if https://2013.pycon.ca/en/account/login/login.json gave me
{'csrfmiddlewaretoken':"abc", "login-email":"", "login-password": "",
"login-remember":false }
at run time I would have the token value,
and the rest of those would help at dev time to show what the names of
the keys are so I don't have to root around in the html.
2. disable csrf on the login form.
If i understand the point of csrf, it relies on a person being logged in.
I wold want to see this accepted upstream to make sure the right
people agree it isn't making the site vulnerable.
--
Carl K
If I use my browser and fingers to browse to
https://2013.pycon.ca/en/account/login/ and log in,
then browse to https://2013.pycon.ca/en/schedule/conference.json, I
get email addresses. good.
Trying to write python code to do that is giving me a problem logging
in - guessing it is because the login form has a csrf token, and my
python code does not.
I want to do this right, but I am not sure what right is. I don't want
to relax security.
I know a little about csrf, but not enough to know if what I am
suggesting is relaxing security.
I have two thoughts:
1. my code needs to get the token, just like my browser did.
1a. I could write code to get the html, parse and find the token. yuck.
1b. you could give me an api that gives me a token that can be used to log in.
like if https://2013.pycon.ca/en/account/login/login.json gave me
{'csrfmiddlewaretoken':"abc", "login-email":"", "login-password": "",
"login-remember":false }
at run time I would have the token value,
and the rest of those would help at dev time to show what the names of
the keys are so I don't have to root around in the html.
2. disable csrf on the login form.
If i understand the point of csrf, it relies on a person being logged in.
I wold want to see this accepted upstream to make sure the right
people agree it isn't making the site vulnerable.
--
Carl K
Taavi Burns
Jul 6, 2013, 5:38:09 PM7/6/13
to pinax-s...@googlegroups.com
2 might go. But honestly, the expectation is 1a, as far as I know.
--
Carl K
--
You received this message because you are subscribed to the Google Groups "pinax-symposion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pinax-symposi...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
Carl Karsten
Jul 6, 2013, 6:32:10 PM7/6/13
to pinax-s...@googlegroups.com
eww.
anyone up on if csrf token is needed for the login form?
Carl Karsten
Jul 8, 2013, 1:50:45 PM7/8/13
to pinax-s...@googlegroups.com
OK, talked to someone who seems to know what he is talking about, and
now I agree that scraping/parsing the login form html is the way to
go.
For those who care, here are some key excerpts from a very long and
bla bla IRC session with about 6 people:
#1 providing an elegant API -
The cookie thing that rhys mentioned is the real protection, not "it's
hard to parse html and get the token"
This is doable, but requires messing with the pinax login views, which
is work, and getting the change committed upstream may also be work.
likely more work that me parsing html.
#2: dropping the csrf token from the login form = bad.
UserA = legitimate site user, has an account.
Attacker = baddie who also has an account, like you get by clicking
"sign up!" nothing special needed.
UserA logs in, attacker tricks user into re-loging in using Attacker's
login/pw, now the user does stuff like "send a private message" that
can show up in the attacker's private message log.
Regardless of if anyone cares about this case, it proves there are
cases and so the login form does need the protection given by the
token.
--
Carl K
now I agree that scraping/parsing the login form html is the way to
go.
For those who care, here are some key excerpts from a very long and
bla bla IRC session with about 6 people:
#1 providing an elegant API -
The cookie thing that rhys mentioned is the real protection, not "it's
hard to parse html and get the token"
This is doable, but requires messing with the pinax login views, which
is work, and getting the change committed upstream may also be work.
likely more work that me parsing html.
#2: dropping the csrf token from the login form = bad.
UserA = legitimate site user, has an account.
Attacker = baddie who also has an account, like you get by clicking
"sign up!" nothing special needed.
UserA logs in, attacker tricks user into re-loging in using Attacker's
login/pw, now the user does stuff like "send a private message" that
can show up in the attacker's private message log.
Regardless of if anyone cares about this case, it proves there are
cases and so the login form does need the protection given by the
token.
Carl K
Carl Karsten
Jul 22, 2013, 12:42:47 AM7/22/13
to pinax-s...@googlegroups.com, ca...@personnelware.com
1. my code needs to get the token, just like my browser did.
1a. I could write code to get the html, parse and find the token. yuck.
1b. you could give me an api that gives me a token that can be used to log in.
like if https://2013.pycon.ca/en/account/login/login.json gave me
{'csrfmiddlewaretoken':"abc", "login-email":"", "login-password": "",
"login-remember":false }
at run time I would have the token value,
and the rest of those would help at dev time to show what the names of
the keys are so I don't have to root around in the html.
<input type='hidden' name='csrfmiddlewaretoken' value='aADcVxHn8YjyXhfGj2uVvniceAgxxOd7' />
it is also in the headers:
curl -v https://2013.pycon.ca/en/account/login/
< Set-Cookie: csrftoken=aADcVxHn8YjyXhfGj2uVvniceAgxxOd7; expires=Mon, 21-Jul-2014 04:35:19 GMT; Max-Age=31449600; Path=/
To get further off topic... The reason my code wasn't working was because I was not using the right form element names:
login_data = { 'username':auth['user'], ....
'username' was left over from last year. this year it is 'login-email'
You can see a nice demo of this all working:
https://github.com/CarlFK/veyepar/blob/master/tests/auth/uc.py
--
Carl K
Reply all
Reply to author
Forward
0 new messages