[
https://issues.apache.org/jira/browse/OFBIZ-11306?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17010581#comment-17010581
]
Jacques Le Roux commented on OFBIZ-11306:
-----------------------------------------
Another point I wanted to discuss with you is about "csrf tokens as URL
parameters".
If I refer to [OWASP Disclosure of Token in
URL|https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#disclosure-of-token-in-url]
it's not recommended. It's not even needed for "embedded links in the page" or
"or other general design patterns" (for us pagination, or in js trees, for
instance) which I believe are the most cases we us them.
It's really a bad thing if you use an unique per-session token, which is not
our case, one worry less.
In OFBiz some post calls are actually nothing more than get calls, like
{code:html}
<form class="basic-form" method="post"
action="https://localhost:8443/catalog/control/EditProdCatalog?csrfToken=V3TVvfsQVoM8";
style="margin: 0;" name="EditProdCatalogForm">
<table class="basic-table form-table">
<tr>
<td class="label"><label>Edit Catalog with Catalog ID:</label></td>
<td>
<input type="text" size="20" maxlength="20" name="prodCatalogId"
value="" />
<input type="submit" value=" Edit Catalog" class="smallSubmit" />
</td>
</tr>
<tr>
<td class="label"><label>OR:</label></td>
<td><a
href="https://localhost:8443/catalog/control/EditProdCatalog?csrfToken=V3TVvfsQVoM8";
class="buttontext">Create New Catalog</a></td>
</tr>
</table>
</form>
{code}
There again there is no possible harm, since nothing can be changed with this
link.
But there are cases which should not be, like
{code:html}
<!-- Begin Form Widget - Form Element
component://product/widget/catalog/ProdCatalogForms.xml#EditProdCatalog
--><form method="post"
action="/catalog/control/createProdCatalog?csrfTokencsrfToken=jWYkCVSqkj6X"
id="EditProdCatalog" class="basic-form requireValidation"
onsubmit="javascript:submitFormDisableSubmits(this)" name="EditProdCatalog">
<input type="hidden" name="csrfToken" value="jWYkCVSqkj6X"/>
<table cellspacing="0" class="basic-table">
<tr>
<td class="label">
<label for="EditProdCatalog_prodCatalogId" title="This cannot be changed
without re-creating the Product Catalog."
id="EditProdCatalog_prodCatalogId_title">Catalog [ID]</label> </td>
<td>
<input type="text" name="prodCatalogId"
size="20" maxlength="20"
id="EditProdCatalog_prodCatalogId" require
/>
[...]
{code}
So we need to remove csrfTokens from cases like this one. Anyway, I need to now
review the Java code. I'll get back to you then.
Thanks for your very good start!
> POC for CSRF Token
> ------------------
>
> Key: OFBIZ-11306
> URL: https://issues.apache.org/jira/browse/OFBIZ-11306
> Project: OFBiz
> Issue Type: Improvement
> Components: ALL APPLICATIONS
> Affects Versions: Upcoming Branch
> Reporter: James Yong
> Assignee: Jacques Le Roux
> Priority: Minor
> Labels: CSRF
> Fix For: Upcoming Branch
>
> Attachments: OFBIZ-11306-v2.patch, OFBIZ-11306.patch,
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch,
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch,
> OFBIZ-11306.patch, OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch,
> OFBIZ-11306_Plugins.patch
>
>
> CRSF tokens are generated using CSRF Guard library and used in:
> 1) In widget form where a hidden token field is auto-generated.
> 2) In FTL form where a <@csrfTokenField> macro is used to generate the csrf
> token field.
> 3) In Ajax call where a <@csrfTokenAjax> macro is used to assign csrf token
> to X-CSRF-Token in request header.
> CSRF tokens are stored in the user sessions, and verified during POST request.
> A new attribute i.e. csrf-token is added to the security tag to exempt CSRF
> token check.
> Certain request path, like LookupPartyName, can be exempt from CSRF token
> check during Ajax POST call.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
