In JupyterHub's Admin panel, the _xsrf token is not working for add/delete user features.
Current mechanism to protect add/delete user features against CSRF attack is solely rely on checking the Referer header value.
Although current referer header examination seems to be strict enough, it could still be bypassed if user is fooled to install malicious browser plugin or there exists any escape techniques.
Expected behaviour
Implement anti-CSRF techniques like Double Submit Cookie, so that JupyterHub could prevent CSRF attack.
Actual behaviour
Even if the _xsrf token is removed the add/delete user requests could still be accepted & processed by server.
That could lead to a possible CSRF attack.
Screen Capture of successfully adding user without _xsrf token
Screen Capture of successfully deleting user without _xsrf token
Thank you for opening your first issue in this project! Engagement like this is essential for open source projects! 🤗
If you haven't done so already, check out Jupyter's Code of Conduct. Also, please try to follow the issue template as it helps other other community members to contribute more effectively.
You can meet the other Jovyans by joining our Discourse forum. There is also an intro thread there where you can stop by and say Hi! 👋
Bug description
In JupyterHub's Admin panel, the _xsrf token is not working for add/delete user features.
Current mechanism to protect add/delete user features against CSRF attack is solely rely on checking the Referer header value.
Although current referer header examination seems to be strict enough, it could still be bypassed if user is fooled to install malicious browser plugin or there exists any escape techniques.
Expected behaviour
Implement anti-CSRF techniques like Double Submit Cookie, so that JupyterHub could prevent CSRF attack.
Actual behaviour
Even if the _xsrf token is removed the add/delete user requests could still be accepted & processed by server.
That could lead to a possible CSRF attack.
Screen Capture of successfully adding user without _xsrf token

Screen Capture of successfully deleting user without _xsrf token

How to reproduce
Your personal set up
OS:
Kubernetes 1.12 + , Helm charts 3.0 + , ubi 7.8+
Version(s):
JupyterHub 1.1.0, Python 3.8
Reference
OWASP - Cross-Site Request Forgery Prevention Cheat Sheet
https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#double-submit-cookie
The text was updated successfully, but these errors were encountered: