-
Notifications
You must be signed in to change notification settings - Fork 38
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OWASP CSRFGuard is vulnerable to CVE-2021-28490 #23
Comments
To be honest I wasn't aware of this CVE, I wonder where it has been reported, but in any case, I don't agree with the severity. Will try to get in touch with the person who reported it, but just to clarify some things:
That being said, in order to bypass these validations, you would need to have a severe XSS vulnerability within your application and probably incorrect CSP/CORS rules in order to exploit this, in which case you have bigger problems than CSRF. Not having XSS vulnerabilities is a prerequisite for every CSRF protection (that I know). |
Quoting from the OWASP CSRF Prevention Cheat Sheet:
|
Hi Ray - We verified with a vendor that uses CSRFGuard that it is in fact vulnerable. Exploiting does not require that your application has any XSS -- just visiting a malicious page in another browser tab is enough to exploit the issue. This scenario does require that a victim is 1) logged in to your application and 2) is visiting a malicious page which can be hosted on an entirely different webserver. If you'd like a working proof of concept exploit for your application, I'd be happy to build you one (poc must be tailored to your application unfortunately -- what URL actually serves up the CSRFGuard token may be configured by you and an exploit must know what that URL is). Please reach out if you're interested. Reid |
Hello, In the following link https://github.com/reidmefirst/vuln-disclosure/blob/main/2021-01.txt the author wrote this: That's not true. He never contact me or inform me via GitHub. |
The test application within this repository can be used for demonstrating your PoC. I've added a Steps for building the application: https://github.com/OWASP/www-project-csrfguard#building-the-code Note:
If you manage to manipulate the Thanks. |
Hello @forgedhallpass How can I check exploitability for my webapp, general guidelines to exploit would help to see if my app is safe or not from this vulnerability .. |
Hello @prashantkadam12, I don't think there is a vulnerability. I've provided the steps for @reidmefirst above so that he can also do his testing, and then we'll see whether there is an issue or not. |
Hello @forgedhallpass Any further updates on this ? Have we concluded on whether this is a vulnerability (for both versions 3.1.0 / 4.0) ? Is it exploitable in real-world ? Will upgrading to 4.0 would safeguard application for this vulnerability ? |
Hello @prashantkadam12 I will be providing a detailed description sometime in the future, but in short, an attack is only possible if there are multiple misconfigurations in place, combined with social engineering. E.g. if the user is tricked to download an HTML file, uses Internet Explorer, disregards the warning about running executable content, is logged into the target application in the same browser and the application is deployed on his machine OR the application has unsafe CORS configuration or CORS is enabled from the browser via (mis)configuration. Even this way if CSRF Guard is correctly configured, writing an exploit is not trivial to write by far. At the end I believe the probability for all these stars (and not just) to align, reduces the overall severity to LOW. Besides, using browsers with insecure configuration and exploitation with social engineering is not a vulnerability in CSRF Guard. |
Hello @forgedhallpass , do you still plan to provide a detailed description please? |
@Alexander-Shevchenko will do when I'll have enough time. The short version you can see above. The CVE's severity rating is not correctly assessed (bloated). You can find other sites (e.g. https://security.snyk.io/vuln/SNYK-JAVA-ORGOWASP-1912877, https://vuldb.com/?id.181209) where the same CVE has Low or Medium (but even the Medium is an overstatement) severity. In the meantime I've released, the |
Even though, (as previously mentioned) this is a very special corner-case scenario with a LOW severity, I've modified the default behavior of CSRFGuard not to serve content to Internet Explorer by default anymore. See #101 for reference. |
We make use of CSRFGuard version 4.0.0 in our applications but security scanning tools are reporting it is vulnerable to the following High severity CVE:
https://nvd.nist.gov/vuln/detail/CVE-2021-28490
With a score of 8.8 this looks like something that would need to be investigated/fixed or is there any good workaround or mitigation for this issue that you can recommend?
The text was updated successfully, but these errors were encountered: