CSRF vulnerability, again

Question

CSRF vulnerability, again

berdario opened this issue 8 years ago · 5 comments

I'm afraid that the issue hasn't been fixed properly. I realized it today after deploying your new release.

You can try: login (or simply visit in a barebone new grails application) the main app website, but DON'T visit the console. Trigger the poc I sent you the last time, and you'll see that it'll still work. After accessing the console the protection will be effective and the poc will stop working.

I suspect that the reason might be the request.getHeader('X-CSRFToken') != session['CONSOLE_CSRF_TOKEN']) check.

If the console hasn't been visited yet, there will be no CONSOLE_CSRF_TOKEN in the session, and thus both side of the equations will be null, letting the check pass.

Answer 1 · 2016-08-03T21:09:28.000Z

Is there a reason why you haven't used the builtin protection offered by Grails, btw? That's not affected by this bug

Answer 2 · 2016-08-04T12:43:46.000Z

My bad. Will be fixed in the next version. withForm is for a single form submission from a gsp, the console plugin is doing many async calls from JavaScript.

Answer 3 · 2016-08-04T12:52:44.000Z

Ok, thank you

Indeed, withForm is not a great name, but it only means that it expects the csrf tokens to be provided in the POST body (instead of via an header), as such you can use it just as well for xhr from Javascript

Answer 4 · 2016-08-04T13:11:34.000Z

I added a small comment
1edba78#commitcomment-18519584

I see that you added a fix, but you haven't closed yet this issue... I gather that there's more that you want to fix?

Answer 5 · 2016-08-06T03:25:12.000Z

I was just waiting until i had time to release. Thanks for reporting the issue