[
https://issues.apache.org/jira/browse/HADOOP-12758?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15130704#comment-15130704
]
Chris Nauroth commented on HADOOP-12758:
----------------------------------------
To summarize the design document Larry attached to HADOOP-12691, this feature
is intended to provide protection against browser-based attack vectors. The
attack would originate with some form of social engineering, such as a phishing
email linking to a malicious web form or piggy-backing on a pre-existing XSS
vulnerability. These kinds of attacks specifically target the browser
interaction model and not scripts/programmatic access. I think it's acceptable
to provide a solution that maximizes backwards-compatibility for programmatic
access while still protecting browsers.
bq. For example, I can have a user-agent spoofing chrome extension and override
the XSRF setting by setting it to "curl" even if I were using a browser.
There would be no value in an attacker setting up an extension like this in
their own browser, because an XSRF attack targets the authenticated user.
While it's true that the user agent string could be spoofed, it provides no
value as an attack vector, because it doesn't provide a way to spoof
authentication. Taking the example of the NameNode web UI and WebHDFS, this
extension wouldn't give the attacker the capability to do anything that they
can't already do. They could simply authenticate, go to the file browser in
the NameNode web UI, and manipulate files directly. They can only harm files
if they already have access to them.
If the attacker finds a way to inject such a plugin into a different
authenticated user's browser as malware, then that would provide an attack
vector. However, at that point the battle is already lost. If the attacker
can inject malware, then they can pretty much run arbitrary code and defeat any
further protection mechanisms.
I am in favor of the approach in this patch.
> Extend CSRF Filter with UserAgent Checks
> ----------------------------------------
>
> Key: HADOOP-12758
> URL: https://issues.apache.org/jira/browse/HADOOP-12758
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Reporter: Larry McCay
> Assignee: Larry McCay
> Fix For: 2.8.0
>
> Attachments: HADOOP-12758-001.patch, HADOOP-12758-002.patch
>
>
> To protect against CSRF attacks, HADOOP-12691 introduces a CSRF filter that
> will require a specific HTTP header to be sent with every REST API call. This
> will affect all API consumers from web apps to CLIs and curl.
> Since CSRF is primarily a browser based attack we can try and minimize the
> impact on non-browser clients.
> This enhancement will provide additional configuration for identifying
> non-browser useragents and skipping the enforcement of the header requirement
> for anything identified as a non-browser. This will largely limit the impact
> to browser based PUT and POST calls when configured appropriately.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
