Details

    • Type: Improvement
    • Status: Closed
    • Priority: Critical
    • Resolution: Duplicate
    • Affects Version/s: 1.0, 1.0.1, 1.0.2, 1.0.3, 1.1-alpha-1
    • Fix Version/s: None
    • Component/s: Web interface

      Description

      XSRF vulnerabilities are very hard to fix. More details on them at http://en.wikipedia.org/wiki/Cross-site_request_forgery with a key document found at http://isecpartners.com/documents/XSRF_Paper.pdf which outlines a solution.

      In short, an XSRFProtectionToken is passed in each form in a hidden variable, with the XSRFProtectionToken consisting of (pseudocode):

      hash(sessionid + actionName + sitewide_secret);

      The hash can be MD5 or SHA-1 or whatever. The important thing is that even if a user is logged on with a valid sessionId, the attacker cannot know in advance what the token will be without getting it out of an insecure browser (in which case, you have other problems). Even if the attacker gets access to a token for one action that's less security-risky (like invoking a build), they cannot then replay that token against something more risky (such as creating a new admin user).

        Issue Links

          Activity

          Hide
          brettporter Brett Porter added a comment -

          can you highlight the incidences of this that you have seen?

          Show
          brettporter Brett Porter added a comment - can you highlight the incidences of this that you have seen?

            People

            • Assignee:
              brettporter Brett Porter
              Reporter:
              cgruber Christian E Gruber
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development