[
https://issues.apache.org/jira/browse/OFBIZ-11306?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17019637#comment-17019637 ]
Jacques Le Roux edited comment on OFBIZ-11306 at 1/20/20 5:06 PM:
------------------------------------------------------------------
Hi James,
Thanks for feedback.
bq. Do you have any link for further reading?
https://blog.clever-age.com/fr/2014/06/25/owasp-cross-site-request-forgery-csrf-ou-xsrf/ It's in French but I guess it's readable when translated by Google or maybe better Deepl. I read in comment that using an IP address can be a problem if the user is browsing through Thor. So maybe not a good idea finally. Remains the timeout, and maybe we can find another static parameter to replace the IP as a JWT claim. Anyway all that is minor. A random value as you propose is safe enough IMO. Just that we can't limit it in time. We can discuss that later with the team...
was (Author: jacques.le.roux):
Hi James,
Thanks for feedback.
bq. Do you have any link for further reading?
https://blog.clever-age.com/fr/2014/06/25/owasp-cross-site-request-forgery-csrf-ou-xsrf/ It's in French but I guess it's readable when translated by Google or maybe better Deepl. I read in comment that using an IP address can be a problem if the use is browsing throught Thor, so maybe not a good idea finally. Remains the timeout, and maybe we can find another static parameter to replace the IP as a JWT claim. Anyway all that is minor. A random value as you propose is safe enough IMO. Just that we can't limit it in time. We can discuss that later with the team...
> POC for CSRF Token
> ------------------
>
> Key: OFBIZ-11306
> URL:
https://issues.apache.org/jira/browse/OFBIZ-11306> Project: OFBiz
> Issue Type: Improvement
> Components: ALL APPLICATIONS
> Affects Versions: Upcoming Branch
> Reporter: James Yong
> Assignee: Jacques Le Roux
> Priority: Minor
> Labels: CSRF
> Fix For: Upcoming Branch
>
> Attachments: OFBIZ-11306-v2.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch
>
>
> CRSF tokens are generated using SecureRandom class.
> 1) In widget form where a hidden token field is auto-generated.
> 2) In FTL form where a <@csrfTokenField> macro is used to generate the csrf token field.
> 3) In Ajax call where a <@csrfTokenAjax> macro is used to assign csrf token to X-CSRF-Token in request header.
> CSRF tokens are stored in the user sessions, and verified during POST request.
> A new attribute i.e. csrf-token is added to the security tag to exempt CSRF token check.
> Certain request path, like LookupPartyName, can be exempt from CSRF token check during Ajax POST call.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
Locked
