Re: CSRF does not work in iframe.

[address@hidden]

Hello,

the Access-Control-Allow-Credentials is dangerous header.

Monit uses state-less double-submit-cookie pattern for CSRF defence: 
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#Double_Submit_Cookie
 ... the action will work when the request's "securitytoken" cookie and 
"securitytoken" http parameter will match - the value is not important, you can 
generate a new value for every request on client side (the defence is based in 
the fact, that the CSRF attacker cannot read nor set/modify the cookie value, 
so cannot set matching http parameter value).

Best regards,
Martin


> On 14 Sep 2017, at 06:13, Bhuvan Gupta <address@hidden> wrote:
> 
> Any help will be nice
> 
> On Thu, Sep 7, 2017 at 12:37 PM, Bhuvan Gupta <address@hidden> wrote:
> Hello all,
> 
>  I create a allMonit.html which have two iframe with src of two different 
> monit http interface running on two different system
> 
> allMonit.html structure
>     <iframe src = "http://firstserver:2812";></iframe>
>     <iframe src = "http://seconderver:2812";></iframe>
> 
> Now when i open allMonit.html in chrome , i see two monit interfaces. GREAT
> 
> Now if i try to let say "start a service" on one firstserver. I get invalid 
> CSRF.
> 
> Upon investigation i found that without iframe the http request contains a 
> cookiee header like 
> Cookie:securitytoken=6265d84a17c2715c7252c84d88a479cf
> Where as http request from iframe does not include cookie header.
> 
> Upon further study, i found that since monit http response does not contain 
> following header
> Access-Control-Allow-Credentials: true
> and hence browser will not transmit the cookie back to server.
> 
> Now the question arises:
> 
> QUESTION: How to configure monit to add addition http header
> 
> Thanks
> Bhuvan
> 
> 
> 
> 
> 
> -- 
> To unsubscribe:
> https://lists.nongnu.org/mailman/listinfo/monit-general