Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

API2 failing due to CSRF check. Not correctly following cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#identifying-source-origin-via-originreferer-header #11182

Open
x00 opened this issue Sep 10, 2023 · 2 comments
Open

API2 failing due to CSRF check. Not correctly following cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#identifying-source-origin-via-originreferer-header #11182

x00 opened this issue Sep 10, 2023 · 2 comments

Comments

@x00
Copy link
Contributor

x00 commented Sep 10, 2023
edited

I don't believe you are correctly following the wording of this check as indicated by your comment in code

vanilla/library/core/class.request.php

Lines 810 to 814 in f547100

// https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#Protecting_REST_Services:_Use_of_Custom_Request_Headers
$this->hasHeader("X-Requested-With") &&
// https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#Identifying_Source_Origin
$this->getHost() === parse_url($this->getHeader("Referer"), PHP_URL_HOST) &&
(!$this->hasHeader("Origin") || $this->getHost() === parse_url($this->getHeader("Origin"), PHP_URL_HOST))

I don't believe the logical steps follow what is advised in the two paragraphs (may be missing something) and also Referer header is unreliable an easily spoofed.

Result /api2/ request which are used for quote and uploads/attachments will fail as not all ajax request will have Referer header, in fact the likelihood is that they won't these days.
@x00
Copy link
Contributor Author

x00 commented Sep 10, 2023

"If the Origin header is present, verify that its value matches the
target origin. Unlike the Referer, the Origin header will be present in
HTTP requests that originate from an HTTPS URL."

"If the Origin header is not present, verify the hostname in the Referer header matches the target origin. This method of CSRF mitigation is also commonly used with unauthenticated requests, such as requests made prior to establishing a session state, which is required to keep track of a synchronization token."

You are first checking if host matches the refer rather than first checking if the origin exists, this is the wrong way round. Of the Origin header is present you should not be checking the Referer.

@x00
Copy link
Contributor Author

x00 commented Sep 10, 2023
edited

workaround is ensure the Referrer-Policy header is set work for the check.

I think the check is technically wrong but I also made a mistake in having no-referer set

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@x00