[jira] [Commented] (SLING-3469) Provide out of the box CSRF protection

Tue, 31 Aug 2021 14:02:05 -0700 


    [ 
https://issues.apache.org/jira/browse/SLING-3469?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17407656#comment-17407656
 ] 

Cris Rockwell commented on SLING-3469:
--------------------------------------

I have a few questions about this...

* The OWASP CSRF Cheatsheet (linked below) mentions a process of checking the 
'Origin' header and comparing to the 'Referrer' header. Sling's Referrer Filter 
compares the host name (obtained by parsing the referrer header) to 
`request.getServerName()` It seems equivalent, but is it? any advantage either 
way?
* Does the JEE Reference CSRFValidationFilter (linked below)demonstrate any 
mitigation techniques that Sling should consider adopting?
* Sling's ReferrerFilter has this code in the isValidRequest method. It seems 
odd and my internet searches did not return an obvious answer about why this is 
done. Ideas?

{code:java}
       // check for air referrer - which is always allowed
        if ( referrer.startsWith("app:/") ) {
            return true;
        }
{code}


[Sling 
ReferrerFilter|https://github.com/apache/sling-org-apache-sling-security/blob/master/src/main/java/org/apache/sling/security/impl/ReferrerFilter.java]
[Cross-Site Request Forgery Prevention Cheat 
Sheet|https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#java-reference-example]
[JEE Reference 
CSRFValidationFilter|https://github.com/righettod/poc-csrf/blob/master/src/main/java/eu/righettod/poccsrf/filter/CSRFValidationFilter.java]
 


> Provide out of the box CSRF protection
> --------------------------------------
>
>                 Key: SLING-3469
>                 URL: https://issues.apache.org/jira/browse/SLING-3469
>             Project: Sling
>          Issue Type: Improvement
>            Reporter: Raviteja Lokineni
>            Priority: Critical
>
> One such vulnerability can found on the default login form for 
> FormBasedAuthenticationHandler.
> Grails framework has implemented this protection using custom tag library and 
> filters. Ref: http://grails.org/doc/2.2.1/ref/Tags/form.html



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to