[Cppcms-users] Potential Bug in CSRF Validation
Brought to you by:
artyom-beilis
Menu
▾
▴
[Cppcms-users] Potential Bug in CSRF Validation
|
From: Nazim C. B. <naz...@ne...> - 2018-10-18 16:23:40
|
Hello Artyom,<div><br /></div><div>I came across to interesting situation while stress testing an application using CppCMS. Could you please provide your thoughts about the issue?</div><div><br /></div><div>- While doing CSRF validation, CppCMS is using "_csrf" value from the session.</div><div>- The "_csrf" value itself is generated in session_interface::save member function for new sessions.</div><div>- Validation will succeed if "_csrf" session value is empty or "_csrf" session value equals to "_csrf" POST data (or header value).</div><div><br /></div><div>In normal situations, this works as expected because the form must be rendered before it is submitted. In the first GET request, session is initialized and "_csrf" value is set. In the subsequent requests, the _csrf value will exist in the session; thus validation will be in place.</div><div><br /></div><div>Now, let's consider this situation:</div><div>- Attacker gets all information about the form by inspecting HTML code.</div><div>- Then post form data with cURL without any session cookie values and hidden "_csrf" variable and header.</div><div>In this case, CppCMS will consider these requests as new session. But since "_csrf" value in the session is not generated until the response is written back; CSRF validation will succeed silently.</div><div><br /></div><div>Maybe, if we should change validate_csrf_token's logic as:</div><div>- if session[_csrf] empty, then return false.</div><div>- if token is empty, then return false.</div><div>- if session[_csrf] == token, return true; otherwise return false.</div><div>After this change, if the session is new and it's POST method and form::load is called; CSRF validation will throw an exception (as expected).</div><div><br /></div><div>In the current situation, it seems that there is cross-site forgery attack possibility in very specific cases. But I am not sure if this is feature or bug.</div><div><br /></div><div>Thank you.</div><div><br /></div><div>Best regards,</div><div>Nazim Can.</div><div><br />-- <br />С уважением,<br />Назым-Джан Бэдир</div> |
