Bug 535855

Summary:

VertX - CSRF Protection Bypass

Product:

[RT] Vertx

Reporter:

Bernard Wagner <s10156225>

Component:

Core

Assignee:

Security vulnerabilitied reported against Eclipse projects <vulnerability.reports-inbox>

Status:

NEW ---

QA Contact:

Severity:

normal

Priority:

CC:

s10156225, wayne.beaton

Version:

unspecified

Keywords:

security

Target Milestone:

Unknown

Hardware:

OS:

All

URL:

https://github.com/vert-x3/vertx-web/blob/master/vertx-web/src/main/java/io/vertx/ext/web/handler/impl/CSRFHandlerImpl.java

Whiteboard:

Attachments:

Description	Flags
PoC Maven Project with README.md	none

Description Bernard Wagner

2018-06-13 06:49:32 EDT

Created attachment 274454 [details]
PoC Maven Project with README.md

The CSRF Handler (io.vertx.ext.web.handler.impl.CSRFHandlerImpl) in Vert.x Web does not create CSRF Tokens that are unique per user session. A malicious website can still perform CSRF by obtaining a valid token and adding it to a HTML form and then submitting the form to the vulnerable web application.

The CSRF tokens do not have all the characteristics required for CSRF protection as summarised by OWASP:
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#Synchronizer_.28CSRF.29_Tokens

SHA256(vertx-xsrf.zip)= 96c774d75a3a1d8ae8acf6e0d8079a24dd4f0b41deb1a18b733e32cb3f47a380

The PoC attached starts two HTTP web services. The attacker web server will automatically poll the http://target.local:8888/token webpage for a valid XSRF token. If a user then navigates to the http://localhost:7777 in their browser it will render an HTML page with an iframe. The iframe will be populated with a form with a valid X-XSRF-TOKEN form attribute that is automatically submitted to http://target.local:8888/token.