[Owncloud] Cross-site request forgery protection

Florian Rüchel florian.ruechel at googlemail.com
Sat Jun 9 15:19:39 UTC 2012 

Hi Frank,

the same thing Tom wrote I also wanted to give you. And I want to
announce myself as a volunteer on the implementation.

I am a student of IT-Security and I have worked to some degree on
protection (or discovering unprotected calls) so I could be of some help.

I will get back to you as soon as I have gathered more details on this,
though my time is limited right now.

Regards,
Florian

On 09.06.2012 15:51, Thomas Müller wrote:
> FYI: 
> https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)
> 
> https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet
> 
> https://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project
> 
> https://github.com/foxbunny/CSRF4PHP
> 
> Tom
> 
> 
> 
> Frank Karlitschek <frank at owncloud.org> schrieb:
> 
>>
>> On 08.06.2012, at 20:47, Matthew Dawson <matthew at mjdsystems.ca> wrote:
>>
>>> On June 8, 2012 04:42:22 PM Frank Karlitschek wrote:
>>>> Hi everybody,
>>>>
>>>> we have to do something in ownCloud against the CSRF thread. We have some
>>>> protection in some areas already but I think we need a general solution
>>>> here. We have to check if a GET request, form POST or Ajax request really
>>>> comes from the user and ownCloud itself or if it was triggered by an evil
>>>> JS script of flash applet from an remote site.
>>>>
>>>> Read here for more information:
>>>> http://en.wikipedia.org/wiki/Cross-site_request_forgery
>>> Sounds good!  Remember though, CSRF's are blind (as mentioned in the wiki 
>>> article) so it only matters for requests with side-effects (ie 
>>> creating/modifying/deleting data).  A simple request to get information isn't 
>>> important.
>>
>> True.
>>
>>>
>>>>
>>>> I thought about simpler solutions but they all have problems so I think we
>>>> have to do the real thing which means a lot of changes in ownCloud.
>>> Well true, maybe there could be some generic measures taken to help protect 
>>> against simple mistakes?  Things like checking the Referrer header would help 
>>> prevent several drive-by attacks (ie using images).  Its not perfect, but it 
>>> would be a good to have for "defence in depth".
>>
>> I played with this idea too. The problem is that the referrer can be faked if
>> the attack comes from a flash applet.
>>
>>>
>>>>
>>>>
>>>> We have to register every possible ajax call or form submit or button press
>>>> on the page where this call could happen with a special function. This
>>>> functions returns a token. This token has to be included in the GET or POST
>>>> request.
>>> <snip functions>
>>> Looks good.  It would work for the base pieces.  It might be nice to add one 
>>> other function to easily output a hidden input element with the name/value 
>>> set, to allow easy integration.
>>
>> good idea.
>> This depends on the way it is integrated. It´s sometimes in JS, sometimes in a template, ..
>> So I´m mot sure if it´s worth the effort.
>>
>>>
>>>>
>>>> Opinions? Does this make sense?
>>> I haven't looked at OwnCloud's ajax system, so I'm sorry if this isn't easily 
>>> implemented, but the javascript double-cookie check (mentioned in the 
>>> Wikipedia article) would be good to use too.  If you can intercept the ajax 
>>> outgoing calls, you can restash the PHP session id into the request as a 
>>> get/post parameter, and then re-check that the session is correct.  This could 
>>> be largely automated, making the protection that much more effective.
>>>
>>
>> Hmm. not sure I understood this completely. I think the only really save way is to store the token in the session and also transmit it via GET/POST and compare it after the request.
>>
>>
>> I added two helper calls.
>> https://gitorious.org/owncloud/owncloud/commit/344299a074e135140262d051531f723be69c786f
>>
>> Does this make sense?
>>
>> Feedback is very welcome. And help to port the existing ajax call of course. ;-)
>>
>>
>> Frank
>>
>>
>> _______________________________________________
>> Owncloud mailing list
>> Owncloud at kde.org
>> https://mail.kde.org/mailman/listinfo/owncloud
> _______________________________________________
> Owncloud mailing list
> Owncloud at kde.org
> https://mail.kde.org/mailman/listinfo/owncloud

More information about the Owncloud mailing list