[jira] [Commented] (OFBIZ-11306) POC for CSRF Token

    [ https://issues.apache.org/jira/browse/OFBIZ-11306?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17010581#comment-17010581 ]

Jacques Le Roux commented on OFBIZ-11306:
-----------------------------------------

Another point I wanted to discuss with you is about "csrf tokens as URL parameters".

If I refer to [OWASP Disclosure of Token in URL|https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#disclosure-of-token-in-url] it's not recommended. It's not even needed for "embedded links in the page" or "or other general design patterns" (for us pagination, or in js trees, for instance) which I believe are the most cases we us them.

It's really a bad thing if you use an unique per-session token, which is not our case, one worry less.

In OFBiz some post calls are actually nothing more than get calls, like
{code:html}
    <form class="basic-form" method="post" action="https://localhost:8443/catalog/control/EditProdCatalog?csrfToken=V3TVvfsQVoM8" style="margin: 0;" name="EditProdCatalogForm">
      <table class="basic-table form-table">
        <tr>
          <td class="label"><label>Edit Catalog with Catalog ID:</label></td>
          <td>
            <input type="text" size="20" maxlength="20" name="prodCatalogId" value="" />
            <input type="submit" value=" Edit Catalog" class="smallSubmit" />
          </td>
        </tr>
        <tr>
          <td class="label"><label>OR:</label></td>
          <td><a href="https://localhost:8443/catalog/control/EditProdCatalog?csrfToken=V3TVvfsQVoM8" class="buttontext">Create New Catalog</a></td>
        </tr>
      </table>
    </form>
{code}
There again there is no possible harm, since nothing can be changed with this link.

But there are cases which should not be, like

{code:html}
<!-- Begin  Form Widget - Form Element  component://product/widget/catalog/ProdCatalogForms.xml#EditProdCatalog --><form method="post" action="/catalog/control/createProdCatalog?csrfTokencsrfToken=jWYkCVSqkj6X" id="EditProdCatalog"  class="basic-form requireValidation" onsubmit="javascript:submitFormDisableSubmits(this)" name="EditProdCatalog">
    <input type="hidden" name="csrfToken" value="jWYkCVSqkj6X"/>
  <table cellspacing="0" class="basic-table">
  <tr>
  <td class="label">
<label for="EditProdCatalog_prodCatalogId"  title="This cannot be changed without re-creating the Product Catalog." id="EditProdCatalog_prodCatalogId_title">Catalog &#x5b;ID&#x5d;</label>  </td>
  <td>
<input type="text" name="prodCatalogId"
         size="20"     maxlength="20"                 id="EditProdCatalog_prodCatalogId"                    require
/>
[...]
{code}

So we need to remove csrfTokens from cases like this one. Anyway, I need to now review the Java code. I'll get back to you then.

Thanks for your very good start!





--
This message was sent by Atlassian Jira
(v8.3.4#803005)