[jira] [Updated] (HBASE-15187) Integrate CSRF prevention filter to REST gateway

Wed, 24 Feb 2016 11:16:55 -0800 

     [ 
https://issues.apache.org/jira/browse/HBASE-15187?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Ted Yu updated HBASE-15187:
---------------------------
    Description: 
HADOOP-12691 introduced a filter in Hadoop Common to help REST APIs guard 
against cross-site request forgery attacks.

This issue tracks the integration of that filter into HBase REST gateway.

>From REST section of refguide:

To delete a table, use a DELETE request with the /schema endpoint:
http://example.com:8000<table>/schema

Suppose an attacker hosts a malicious web form on a domain under his control. 
The form uses the DELETE action targeting a REST URL. Through social 
engineering, the attacker tricks an authenticated user into accessing the form 
and submitting it.

The browser sends the HTTP DELETE request to the REST gateway.
At REST gateway, the call is executed and user table is dropped

  was:
HADOOP-12691 introduced a filter in Hadoop Common to help REST APIs guard 
against cross-site request forgery attacks.

This issue tracks the integration of that filter into HBase REST gateway.


> Integrate CSRF prevention filter to REST gateway
> ------------------------------------------------
>
>                 Key: HBASE-15187
>                 URL: https://issues.apache.org/jira/browse/HBASE-15187
>             Project: HBase
>          Issue Type: Bug
>            Reporter: Ted Yu
>            Assignee: Ted Yu
>         Attachments: HBASE-15187.v1.patch, HBASE-15187.v2.patch, 
> HBASE-15187.v3.patch, HBASE-15187.v4.patch, HBASE-15187.v5.patch, 
> HBASE-15187.v6.patch, HBASE-15187.v7.patch, HBASE-15187.v8.patch
>
>
> HADOOP-12691 introduced a filter in Hadoop Common to help REST APIs guard 
> against cross-site request forgery attacks.
> This issue tracks the integration of that filter into HBase REST gateway.
> From REST section of refguide:
> To delete a table, use a DELETE request with the /schema endpoint:
> http://example.com:8000<table>/schema
> Suppose an attacker hosts a malicious web form on a domain under his control. 
> The form uses the DELETE action targeting a REST URL. Through social 
> engineering, the attacker tricks an authenticated user into accessing the 
> form and submitting it.
> The browser sends the HTTP DELETE request to the REST gateway.
> At REST gateway, the call is executed and user table is dropped



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to