Hi
I found an older ticket SLING-3469 [1] requesting CSRF protection.
Most examples of CSRF frameworks that I’ve seen go beyond checking the referrer
header. These frameworks offer either stateful or stateless solutions. I guess
stateless is would be the more preferred option, if so the OWASP guideline
suggests a 'Double Submit Cookie’ approach [2].
To implement that in Sling, I’m proposing a new CSRF Filter with a
sling.filter.scope=REQUEST such that it runs after the resource is resolved.
The filter checks whether the resource is under a CSRF enabled parent, and if
so it does a process similar to what is shown on lines 104 thru 142 [3].
Setting a header and token for all requests, and rejecting requests having the
protected configured methods (i.e. POST) where the header value does not match
the cookie value. It’s also possible to allow certain user agents (such as
curl) as this intended to provide protection from browser-based attacks.
There may be a separate issue regarding the SlingReferrerFilter. It has an
exception that always allows referrer.startsWith("app:/“). It allows any AIR
apps to bypass the filter. As there’s already a way to add 'Allowed regexp
referrers’ allowedRegexReferrers the hardcoded “app:/“ exception could be
removed. If that seems fine, I’ll post a new ticket and PR.
Let me know what you think about either of these ideas.
Thanks
Cris R
[1] https://issues.apache.org/jira/browse/SLING-3469
<https://issues.apache.org/jira/browse/SLING-3469>
[2]
https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html
<https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html>
[3]
https://github.com/righettod/poc-csrf/blob/master/src/main/java/eu/righettod/poccsrf/filter/CSRFValidationFilter.java
<https://github.com/righettod/poc-csrf/blob/master/src/main/java/eu/righettod/poccsrf/filter/CSRFValidationFilter.java>
