[Owncloud] Cross-site request forgery protection

Matthew Dawson matthew at mjdsystems.ca
Fri Jun 8 18:47:44 UTC 2012 

On June 8, 2012 04:42:22 PM Frank Karlitschek wrote:
> Hi everybody,
> 
> we have to do something in ownCloud against the CSRF thread. We have some
> protection in some areas already but I think we need a general solution
> here. We have to check if a GET request, form POST or Ajax request really
> comes from the user and ownCloud itself or if it was triggered by an evil
> JS script of flash applet from an remote site.
> 
> Read here for more information:
> http://en.wikipedia.org/wiki/Cross-site_request_forgery
Sounds good!  Remember though, CSRF's are blind (as mentioned in the wiki 
article) so it only matters for requests with side-effects (ie 
creating/modifying/deleting data).  A simple request to get information isn't 
important.

> 
> I thought about simpler solutions but they all have problems so I think we
> have to do the real thing which means a lot of changes in ownCloud.
Well true, maybe there could be some generic measures taken to help protect 
against simple mistakes?  Things like checking the Referrer header would help 
prevent several drive-by attacks (ie using images).  Its not perfect, but it 
would be a good to have for "defence in depth".

> 
> 
> We have to register every possible ajax call or form submit or button press
> on the page where this call could happen with a special function. This
> functions returns a token. This token has to be included in the GET or POST
>  request.
<snip functions>
Looks good.  It would work for the base pieces.  It might be nice to add one 
other function to easily output a hidden input element with the name/value 
set, to allow easy integration.

> 
> Opinions? Does this make sense?
I haven't looked at OwnCloud's ajax system, so I'm sorry if this isn't easily 
implemented, but the javascript double-cookie check (mentioned in the 
Wikipedia article) would be good to use too.  If you can intercept the ajax 
outgoing calls, you can restash the PHP session id into the request as a 
get/post parameter, and then re-check that the session is correct.  This could 
be largely automated, making the protection that much more effective.

Matthew

More information about the Owncloud mailing list