Question on CSRF framework ? | Community
Skip to main content
Kunal_Gaba_
Kunal_Gaba_
February 4, 2016
Solved

Question on CSRF framework ?

  • February 4, 2016
  • 7 replies
  • 2327 views

I have a question related to protection in AEM against CSRF attacks. In AEM 6.1, CSRF framework protection was introduced which checks that all POST requests should have a valid token. The token should be passed in the request body or in the header.

As per the framework, the token is injected into the HTML form pages using granite csrf javascript. The javascript makes an AJAX call to http://localhost:4502/libs/granite/csrf/token.json to get a valid token (which has some expiration time) and then inject it into the form body. 

My question is how this makes sure that client requests are legitimate as the token URL is exposed publicly and anybody can get a new valid token and make forge requests? 

[1] https://docs.adobe.com/docs/en/aem/6-1/develop/security/csrf-protection.html

"The framework makes use of tokens to guarantee that the client request is legitimate. The tokens are generated when the form is sent to the client and validated when the form is sent back to the server."

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.
Best answer by chaotic

> But the token URL is publicly available (/libs/granite/csrf/token.json)

Yes. This is correct and by design.

> and an attacker can get a new token from it and submit forged requests.

But, as mentioned above, this token will be bound to the user requesting it and therefore only be valid for requests performed by the attacker (it cannot be used to CSRF another user).

> I am able to submit requests with a different user agents and with different tokens. 

This would obviously be a severe security issue, but I'm not able to reproduce this behavior. Using the CSRF token I seem only to be able to POST as the user that requested the token. 

Do you test with a browser or with curl (note that curl is considered a 'safe' user-agent)? Do you test with two different user-accounts?

If you found a way to circumvent the CSRF protection framework, please contct PSIRT (https://helpx.adobe.com/security/alertus.html) and provide detailed reproduction steps and configurations.

Thanks!

7 replies

smacdonald2008
smacdonald2008
Level 10
February 4, 2016

I sent this question to some of our ENg members. 

C
Adobe Employee
chaoticAdobe Employee
Adobe Employee
February 4, 2016

Hello kunal23

The CSRF token is bound to the user who requested it and will only be valid to perform POSTs for that user. An attacker cannot get a token for another user and therefore cannot make forged requests on that user's behalf.

 

Best greetings

Lars

Kunal_Gaba_
Kunal_Gaba_Author
February 4, 2016

Thanks Lars. But the token URL is publicly available (/libs/granite/csrf/token.json ) and an attacker can get a new token from it and submit forged requests.  I am able to submit requests with a different user agents and with different tokens. 

smacdonald2008
smacdonald2008
Level 10
February 4, 2016

Is that data showing up on a public domain where an attacker can access? 

C
Adobe Employee
chaoticAdobe EmployeeAccepted solution
Adobe Employee
February 4, 2016

> But the token URL is publicly available (/libs/granite/csrf/token.json)

Yes. This is correct and by design.

> and an attacker can get a new token from it and submit forged requests.

But, as mentioned above, this token will be bound to the user requesting it and therefore only be valid for requests performed by the attacker (it cannot be used to CSRF another user).

> I am able to submit requests with a different user agents and with different tokens. 

This would obviously be a severe security issue, but I'm not able to reproduce this behavior. Using the CSRF token I seem only to be able to POST as the user that requested the token. 

Do you test with a browser or with curl (note that curl is considered a 'safe' user-agent)? Do you test with two different user-accounts?

If you found a way to circumvent the CSRF protection framework, please contct PSIRT (https://helpx.adobe.com/security/alertus.html) and provide detailed reproduction steps and configurations.

Thanks!

O
Adobe Employee
ogillAdobe Employee
Adobe Employee
February 4, 2016

Hi Kunal,

CSRF is only required for authenticated users, are you sure the URL you are posting to requires authentication? If it is not, then the CSRF token will be ignored. Can you share the URL you are posting to?

Regards,

Opkar

Kunal_Gaba_
Kunal_Gaba_Author
February 4, 2016

Yes I was referring to the unauthenticated users.

Suppose I have a donation form on a page and I want all people to donate money without authentication then how can I prevent CSRF in such a scenario ? Is CSRF really required here ? As per the following thread CSRF protection is indeed required for such use cases - http://security.stackexchange.com/questions/85886/csrf-protection-for-unauthenticated-requests-actions-searches-or-comments

Terms & ConditionsAccessibility statement

Loading footer...