Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

All pages vulnerable to CSRF #9

Closed
jdega33 opened this issue Oct 4, 2011 · 3 comments
Closed

All pages vulnerable to CSRF #9

jdega33 opened this issue Oct 4, 2011 · 3 comments
Assignees
@ddelponte
Labels
Improvement In Code Review In Progress

Comments

@jdega33
Copy link

jdega33 commented Oct 4, 2011

Every form in this UI is vulnerable to cross site request forgery. How can it be fixed? Is the application supposed to be automatically fixing all CSRF even in the transitive closure of plugins, via some filter/HTML modification hook? I'm new to Grails so I don't know how this is normally done (if at all).

This can trivially be fixed by wrapping every controller action in withForm.

class SomeController {
    def someAction = {
        // do stuff
    }
}

becomes

class SomeController {
    def someAction = {
        withForm {
            // do stuff
        }
    }
}

... then change all the GSP forms to attach the token.
<g:form method="post">
becomes
<g:form method="post" useToken="true">
@virtualdogbert
Copy link

I posted a suggestion of how to fix this here:
github.com//pull/20

Burt you should fix this before your Securing Grails Applications talk at Springone 2GX, if it's with my pull request, or some variation there of, or I might just have to go to that talk and heckle you(joking obviously).
http://www.springone2gx.com/conference/santa_clara/2013/09/session?id=29370

I'll also post this on the jira page because I don't think you see these comments as often.

@edwardotis
Copy link

edwardotis commented May 17, 2016
edited
Loading

As of May 2016, I confirmed that the latest grails 2.x version is still wide open to this attack on all provided forms.

Looks like users should override every s2ui form they intend to use and manually apply the CSRF protection described by jdega33. More details from grails guides below:

http://docs.grails.org/2.5.x/guide/security.html#securingAgainstAttacks
http://docs.grails.org/2.5.x/guide/single.html#formtokens
and
http://docs.spring.io/spring-security/site/docs/current/reference/html/csrf.html

@ddelponte ddelponte self-assigned this Oct 10, 2017
ddelponte added a commit that referenced this issue Oct 11, 2017
@ddelponte
Issue #9: All pages vulnerable to CSRF
7b27145 
• refactored `SecurityUiTagLib.form` by extracting attribute extraction logic into small, protected methods
• modified `SecurityUiTagLib.form` to support `useToken` attribute. This may be used to prevent against CSRF attacks
• modified user create form to utilize the `useToken` attribute
@ddelponte ddelponte mentioned this issue Oct 16, 2017
Closed
sdelamo added a commit that referenced this issue Oct 19, 2017
@sdelamo
Issue #9: All pages vulnerable to CSRF
f12bd39
@ddelponte
Copy link
Collaborator

Code has been reviewed and manually squashed/merged into master by @sdelamo

@ddelponte ddelponte mentioned this issue May 1, 2018
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ddelponte ddelponte

Labels
Improvement In Code Review In Progress
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@ddelponte @virtualdogbert @edwardotis @jdega33