[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: CSRF does not work in iframe.
From: |
address@hidden |
Subject: |
Re: CSRF does not work in iframe. |
Date: |
Thu, 14 Sep 2017 09:58:40 +0200 |
Hello,
the Access-Control-Allow-Credentials is dangerous header.
Monit uses state-less double-submit-cookie pattern for CSRF defence:
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#Double_Submit_Cookie
... the action will work when the request's "securitytoken" cookie and
"securitytoken" http parameter will match - the value is not important, you can
generate a new value for every request on client side (the defence is based in
the fact, that the CSRF attacker cannot read nor set/modify the cookie value,
so cannot set matching http parameter value).
Best regards,
Martin
> On 14 Sep 2017, at 06:13, Bhuvan Gupta <address@hidden> wrote:
>
> Any help will be nice
>
> On Thu, Sep 7, 2017 at 12:37 PM, Bhuvan Gupta <address@hidden> wrote:
> Hello all,
>
> I create a allMonit.html which have two iframe with src of two different
> monit http interface running on two different system
>
> allMonit.html structure
> <iframe src = "http://firstserver:2812"></iframe>
> <iframe src = "http://seconderver:2812"></iframe>
>
> Now when i open allMonit.html in chrome , i see two monit interfaces. GREAT
>
> Now if i try to let say "start a service" on one firstserver. I get invalid
> CSRF.
>
> Upon investigation i found that without iframe the http request contains a
> cookiee header like
> Cookie:securitytoken=6265d84a17c2715c7252c84d88a479cf
> Where as http request from iframe does not include cookie header.
>
> Upon further study, i found that since monit http response does not contain
> following header
> Access-Control-Allow-Credentials: true
> and hence browser will not transmit the cookie back to server.
>
> Now the question arises:
>
> QUESTION: How to configure monit to add addition http header
>
> Thanks
> Bhuvan
>
>
>
>
>
> --
> To unsubscribe:
> https://lists.nongnu.org/mailman/listinfo/monit-general