© 2011 IBM Corporation

Ind u stry S olution s

Cross Site Request Forgery Problem SummaryScott Malabarba, IBM

2 © 2011 IBM Corporation

Ind u stry S olution s

What is CSRF/cross site request forgery?

• Malicious browser script exploits user's authenticated session to access target application

Modify or destroy data with form POST

Read confidential data. Browsers restrict but do not entirely prevent cross-site GET.

• Other “flavors” such as login CSRF are less applicable to CMIS

• (Very) basic demo...

3 © 2011 IBM Corporation

Ind u stry S olution s

I'm authenticated on the target server

4 © 2011 IBM Corporation

Ind u stry S olution s

Basic cross-domain form POSTto target application

Different origin server

5 © 2011 IBM Corporation

Ind u stry S olution s

Response with secret token check OFF:form endpoint is unprotected

6 © 2011 IBM Corporation

Ind u stry S olution s

CSRF Defenses

• Some common defenses are not feasible in browser binding

e.g. requiring a custom header on form posts

• Secret token: with each POST/GET, client must submit a token that is known only to the client and server

Can be cryptographically signed and include specific information such as target URL and session ID

7 © 2011 IBM Corporation

Ind u stry S olution s

Response with secret token check ON

8 © 2011 IBM Corporation

Ind u stry S olution s

How to transfer the token securely?

• Some common methods do not apply in CMIS use case

e.g. server inserts token directly into generated form HTML

• Too easy to work around browser restriction on cross-site GET

• Option 1: Can safely return token from an authentication call

Client can store token in, e.g., a cookie

Problematic when SSO is enabled or CMIS repo delegates authentication to a container

• Option 2: IFRAME postMessage() technique