Comments (8)
posativ
commented on June 28, 2024
PoC:
<form id="target" method="POST" action="http://isso.example.org/id/1/dislike">
<input type="text" value="..." />
<input type="submit"
value="POST"/>
</form>
<script>
$(document).ready(function() {
$('#target').submit();
});
</script>from isso.
posativ
commented on June 28, 2024
What's a common approach to harden a RESTful API against CSRF? Add an authentication token to a response, the client has to resent?
from isso.
Alexis-D
commented on June 28, 2024
Yes that's the idea, you want the attacker to be unable to forge this token so it has to be random (and don't set it as a cookie, otherwise the PoC would still work).
I didn't check but you might also want to check whether or not /activate and /delete are subject to the CSRF (especially because they can be triggered via GET so it'd be really easy to exploit it, no need for JS, a picture embedded in the markdown would be enough).
from isso.
posativ
commented on June 28, 2024
Hi Alexis,
I made a patch which checks for HTTP-Origin to match the configured hosts. This is one recommended prevention for CSRF. The PoC from above no longer works. I'd love to get feedback from you.
Activation and deletion links are indeed only GET requests but sent via mail and hard to guess (cryptographically signed). I don't think they can be exploited with <img src="...">.
from isso.
Alexis-D
commented on June 28, 2024
I didn't know about Origin; but after a quick look at the Mozilla wiki you linked it should solve this issue [1]. Quick question though, how widely is this header supported? Because if a browser doesn't add it it will prevent the users of this browser to upvote/downvote comments (raise Forbidden would be triggered each time, right?).
Activation and deletion links are indeed only GET requests but sent via mail and hard to guess (cryptographically signed). I don't think they can be exploited with
<img src="...">.
👍
[1] well there's still a theoretical attack as far as I can tell: if an attacker finds a XSS on the website using isso then that would allow the attacker to use the CSRF with the right origin.
from isso.
posativ
commented on June 28, 2024
how widely is this header supported?
Not by IE10+, of course. Safari/Chrome and Firefox support this header since 2008.
from isso.
posativ
commented on June 28, 2024
Separate fix for IE10 (see 9a03cca). The browser from Android 2.2 (and higher) supports the Origin header. Safari on iOS should support this header [citation needed].
from isso.
posativ
commented on June 28, 2024
Implementation fails for Firefox.
from isso.
Related Issues (20)
- [meta] Client refactor or rewrite HOT 7
- [meta] Website move and re-org
- Overriding translation string fails for count.min.js HOT 1
- Prevent clicking submit twice HOT 3
- Import from commento HOT 1
- Add option to remove "Website" form field HOT 1
- isso-comments.de down HOT 9
- Why does data-isso-id need to be written twice?
- docs: data-isso param for sub-uri setup (was: 'Isso doesn't work with Sub-URI multi-site / multiple website setup') HOT 2
- Issue with custom CA certificates (was: Posting comments doesn't work with '404 not found') HOT 6
- Responsive Layout (too much width on mobile devices) HOT 4
- Docker: isso:latest still points to 0.12.6 HOT 1
- Markdown extensions to support Math, Tables, etc. not working HOT 4
- Missing comments (but count is correct!) HOT 2
- Ability to block specific commenters HOT 4
- Please add Multi-CPU architecture for Docker image HOT 7
- Feature request: Generic Attributes Extension for advanced markdown syntax support HOT 2
- docker isn't creating database HOT 2
- Unable to post comments with umlaut domains in the website field HOT 1
- config from environment variables HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from isso.