Description
HADOOP-12691 introduced a filter in Hadoop Common to help REST APIs guard against cross-site request forgery attacks.
This issue tracks the integration of that filter into HBase REST gateway.
From REST section of refguide:
To delete a table, use a DELETE request with the /schema endpoint:
http://example.com:8000<table>/schema
Suppose an attacker hosts a malicious web form on a domain under his control. The form uses the DELETE action targeting a REST URL. Through social engineering, the attacker tricks an authenticated user into accessing the form and submitting it.
The browser sends the HTTP DELETE request to the REST gateway.
At REST gateway, the call is executed and user table is dropped
Attachments
Attachments
Issue Links
- is related to
-
HBASE-19741 Port CSRF prevention filter (HBASE-15187) to the HBase Thrift server
- Open