[jira] [Commented] (HBASE-15187) Integrate CSRF prevention filter to REST gateway

Wed, 24 Feb 2016 09:39:06 -0800 

    [ 
https://issues.apache.org/jira/browse/HBASE-15187?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15163385#comment-15163385
 ] 

Ted Yu commented on HBASE-15187:
--------------------------------

bq. the equivalent CSRF attack vector in hbase

>From REST section of refguide:

To delete a table, use a DELETE request with the /schema endpoint:
http://example.com:8000<table>/schema

Suppose an attacker hosts a malicious web form on a domain under his control. 
The form uses the DELETE action targeting a REST URL. Through social 
engineering, the attacker tricks an authenticated user into accessing the form 
and submitting it.

The browser sends the HTTP DELETE request to the REST gateway.
At REST gateway, the call is executed and user table is dropped

bq. why are our other servlets not also vulnerable

>From the header of JMXJsonServlet:
 \* This servlet is based off of the JMXProxyServlet from Tomcat 7.0.14. It has
 \* been rewritten to be read only and to output in a JSON format so it is not
 \* really that close to the original.

As you may be aware of, GET is permitted method defined by 
RestCsrfPreventionFilter:
{code}
+  static String REST_CSRF_METHODS_TO_IGNORE_DEFAULT = "GET,OPTIONS,HEAD,TRACE";
{code}
This means that read-only web pages such as those provided by JMXProxyServlet 
are outside the scope of RestCsrfPreventionFilter.

w.r.t. using ESAPI to counter CSRF attacks, let me do a bit more homework.
Will get back.

> Integrate CSRF prevention filter to REST gateway
> ------------------------------------------------
>
>                 Key: HBASE-15187
>                 URL: https://issues.apache.org/jira/browse/HBASE-15187
>             Project: HBase
>          Issue Type: Bug
>            Reporter: Ted Yu
>            Assignee: Ted Yu
>         Attachments: HBASE-15187.v1.patch, HBASE-15187.v2.patch, 
> HBASE-15187.v3.patch, HBASE-15187.v4.patch, HBASE-15187.v5.patch, 
> HBASE-15187.v6.patch, HBASE-15187.v7.patch, HBASE-15187.v8.patch
>
>
> HADOOP-12691 introduced a filter in Hadoop Common to help REST APIs guard 
> against cross-site request forgery attacks.
> This issue tracks the integration of that filter into HBase REST gateway.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to