내 커뮤니티 업적 표시줄을 확대합니다.

Submissions are now open for the 2026 Adobe Experience Maker Awards.
Apply Now

Mark Solution

활동이 없어 이 대화는 잠겼습니다. 새 게시물을 작성해 주세요.

해결됨

Question on CSRF framework ?

Avatar

Employee Advisor
Employee Advisor
16. 2. 4. 9:35:31 AM

I have a question related to protection in AEM against CSRF attacks. In AEM 6.1, CSRF framework protection was introduced which checks that all POST requests should have a valid token. The token should be passed in the request body or in the header.

As per the framework, the token is injected into the HTML form pages using granite csrf javascript. The javascript makes an AJAX call to http://localhost:4502/libs/granite/csrf/token.json to get a valid token (which has some expiration time) and then inject it into the form body. 

My question is how this makes sure that client requests are legitimate as the token URL is exposed publicly and anybody can get a new valid token and make forge requests? 

[1] https://docs.adobe.com/docs/en/aem/6-1/develop/security/csrf-protection.html

"The framework makes use of tokens to guarantee that the client request is legitimate. The tokens are generated when the form is sent to the client and validated when the form is sent back to the server."

조회 수

2.2K

답글

7
이 콘텐츠를 좋아요 표시하려면 로그인하십시오

좋아요 수

번역
번역
1 채택된 해결책 개

Avatar

정확한 답변 작성자:
Level 2
Level 2
16. 2. 4. 12:48:42 PM

> But the token URL is publicly available (/libs/granite/csrf/token.json)

Yes. This is correct and by design.

> and an attacker can get a new token from it and submit forged requests.

But, as mentioned above, this token will be bound to the user requesting it and therefore only be valid for requests performed by the attacker (it cannot be used to CSRF another user).

> I am able to submit requests with a different user agents and with different tokens. 

This would obviously be a severe security issue, but I'm not able to reproduce this behavior. Using the CSRF token I seem only to be able to POST as the user that requested the token. 

Do you test with a browser or with curl (note that curl is considered a 'safe' user-agent)? Do you test with two different user-accounts?

If you found a way to circumvent the CSRF protection framework, please contct PSIRT (https://helpx.adobe.com/security/alertus.html) and provide detailed reproduction steps and configurations.

Thanks!

원본 게시물의 솔루션 보기

조회 수

1.5K

답글

0
이 콘텐츠를 좋아요 표시하려면 로그인하십시오

좋아요 수

번역
번역
답변으로 이동
7 답변 개

Avatar

Level 10
Level 10
16. 2. 4. 11:54:45 AM

I sent this question to some of our ENg members. 

조회 수

1.5K

답글

0
이 콘텐츠를 좋아요 표시하려면 로그인하십시오

좋아요 수

번역
번역

Avatar

Level 2
Level 2
16. 2. 4. 12:06:25 PM

Hello kunal23

The CSRF token is bound to the user who requested it and will only be valid to perform POSTs for that user. An attacker cannot get a token for another user and therefore cannot make forged requests on that user's behalf.

 

Best greetings

Lars

조회 수

1.5K

답글

0
이 콘텐츠를 좋아요 표시하려면 로그인하십시오

좋아요 수

번역
번역

Avatar

Employee Advisor
Employee Advisor
16. 2. 4. 12:10:26 PM

Thanks Lars. But the token URL is publicly available (/libs/granite/csrf/token.json ) and an attacker can get a new token from it and submit forged requests.  I am able to submit requests with a different user agents and with different tokens. 

조회 수

1.5K

답글

0
이 콘텐츠를 좋아요 표시하려면 로그인하십시오

좋아요 수

번역
번역

Avatar

Level 10
Level 10
16. 2. 4. 12:36:03 PM

Is that data showing up on a public domain where an attacker can access? 

조회 수

1.5K

답글

0
이 콘텐츠를 좋아요 표시하려면 로그인하십시오

좋아요 수

번역
번역

Avatar

정확한 답변 작성자:
Level 2
Level 2
16. 2. 4. 12:48:42 PM

> But the token URL is publicly available (/libs/granite/csrf/token.json)

Yes. This is correct and by design.

> and an attacker can get a new token from it and submit forged requests.

But, as mentioned above, this token will be bound to the user requesting it and therefore only be valid for requests performed by the attacker (it cannot be used to CSRF another user).

> I am able to submit requests with a different user agents and with different tokens. 

This would obviously be a severe security issue, but I'm not able to reproduce this behavior. Using the CSRF token I seem only to be able to POST as the user that requested the token. 

Do you test with a browser or with curl (note that curl is considered a 'safe' user-agent)? Do you test with two different user-accounts?

If you found a way to circumvent the CSRF protection framework, please contct PSIRT (https://helpx.adobe.com/security/alertus.html) and provide detailed reproduction steps and configurations.

Thanks!

조회 수

1.5K

답글

0
이 콘텐츠를 좋아요 표시하려면 로그인하십시오

좋아요 수

번역
번역
답변으로 이동

Avatar

Employee
Employee
16. 2. 4. 1:06:29 PM

Hi Kunal,

CSRF is only required for authenticated users, are you sure the URL you are posting to requires authentication? If it is not, then the CSRF token will be ignored. Can you share the URL you are posting to?

Regards,

Opkar

조회 수

1.5K

답글

0
이 콘텐츠를 좋아요 표시하려면 로그인하십시오

좋아요 수

번역
번역

Avatar

Employee Advisor
Employee Advisor
16. 2. 4. 1:33:38 PM

Yes I was referring to the unauthenticated users.

Suppose I have a donation form on a page and I want all people to donate money without authentication then how can I prevent CSRF in such a scenario ? Is CSRF really required here ? As per the following thread CSRF protection is indeed required for such use cases - http://security.stackexchange.com/questions/85886/csrf-protection-for-unauthenticated-requests-actio...

조회 수

1.6K

답글

0
이 콘텐츠를 좋아요 표시하려면 로그인하십시오

좋아요 수

번역
번역
관련 대화
How to mock/unit test a Sling filter that does a redirect? (and other questions) Solved

조회 수

67

Likes

0

답글

2
Uncertainty on How to Use Experience Fragments on an Angular Site Solved

조회 수

952

Likes

0

답글

3
AEM65 installation on Azure cloud Solved

조회 수

537

Likes

0

답글

1
Impact on Dispatcher cache when 10k pages are deleted

조회 수

280

Likes

0

답글

5
AEMaaCS - How to remove default Cache-Control on HTML responses?

조회 수

405

Likes

0

답글

3