Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Added CSRF protection to the togglz console #495

Merged
merged 1 commit into from Jan 12, 2021

Conversation

JoeBeeton
Copy link
Contributor

Added CSRF protection to the togglz console via a CSRF token passed between the server and the clinet. This remediates the vulnerabilty CVE-2020-28191 by blocking CSRF attacks as the attcker will not be able to guess the CSRF token value.

This has been implemented with either the session timeout of the application the togglz console is embedded in. Or if no user session is available it defaults to a 10 minute timeout for the CSRF token.
This CSRF token does not interfere with either OWASP's CSRFGuard or Spring-Security's CSRF protection if they are used within the application.

…etween the server and the clinet. This remediates the vulnerabilty CVE-2020-28191 by blocking CSRF attacks as the attcker will not be able to guess the CSRF token value.

This has been implemented with either the session timeout of the application the togglz console is embedded in. Or if no user session is available it defaults to a 10 minute timeout for the CSRF token.
This CSRF token does not interfere with either OWASP's CSRFGuard or Spring-Security's CSRF protection if they are used within the application.
@bennetelli
Copy link
Member

@JoeBeeton many thanks for your Pull Request. I still had it on my list to merge your commits, but I wanted to fix the bug in the togglz actuator endpoint and release it first.

@bennetelli bennetelli merged commit ed66e3f into togglz:master Jan 12, 2021
1 check passed
@JoeBeeton
Copy link
Contributor Author

No problem. Let me know when you cut a new release containing the above fix and I'll make the CVEs public. Thank you very much for your help.

@bennetelli
Copy link
Member

@JoeBeeton I already released it. It's part of togglz 2.9.4. You can make it public if you want.
Thank you very much for getting in contact with me, for all the mails and also for your implementation :-)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

2 participants