You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@sling.apache.org by "Cris Rockwell (Jira)" <ji...@apache.org> on 2021/08/31 21:02:00 UTC

[jira] [Commented] (SLING-3469) Provide out of the box CSRF protection

    [ https://issues.apache.org/jira/browse/SLING-3469?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17407656#comment-17407656 ] 

Cris Rockwell commented on SLING-3469:
--------------------------------------

I have a few questions about this...

* The OWASP CSRF Cheatsheet (linked below) mentions a process of checking the 'Origin' header and comparing to the 'Referrer' header. Sling's Referrer Filter compares the host name (obtained by parsing the referrer header) to `request.getServerName()` It seems equivalent, but is it? any advantage either way?
* Does the JEE Reference CSRFValidationFilter (linked below)demonstrate any mitigation techniques that Sling should consider adopting?
* Sling's ReferrerFilter has this code in the isValidRequest method. It seems odd and my internet searches did not return an obvious answer about why this is done. Ideas?

{code:java}
       // check for air referrer - which is always allowed
        if ( referrer.startsWith("app:/") ) {
            return true;
        }
{code}


[Sling ReferrerFilter|https://github.com/apache/sling-org-apache-sling-security/blob/master/src/main/java/org/apache/sling/security/impl/ReferrerFilter.java]
[Cross-Site Request Forgery Prevention Cheat Sheet|https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#java-reference-example]
[JEE Reference CSRFValidationFilter|https://github.com/righettod/poc-csrf/blob/master/src/main/java/eu/righettod/poccsrf/filter/CSRFValidationFilter.java] 


> Provide out of the box CSRF protection
> --------------------------------------
>
>                 Key: SLING-3469
>                 URL: https://issues.apache.org/jira/browse/SLING-3469
>             Project: Sling
>          Issue Type: Improvement
>            Reporter: Raviteja Lokineni
>            Priority: Critical
>
> One such vulnerability can found on the default login form for FormBasedAuthenticationHandler.
> Grails framework has implemented this protection using custom tag library and filters. Ref: http://grails.org/doc/2.2.1/ref/Tags/form.html



--
This message was sent by Atlassian Jira
(v8.3.4#803005)