archives/extend/2013-April/000110.html


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML>
 <HEAD>
   <TITLE> [99s-extend] Reading body_qs multiple times
   </TITLE>
   <LINK REL="Index" HREF="index.html" >
   <LINK REL="made" HREF="mailto:extend%40lists.ninenines.eu?Subject=Re%3A%20%5B99s-extend%5D%20Reading%20body_qs%20multiple%20times&In-Reply-To=%3CCAJ0zLRPYmtXEMd6G78D5Dc9-ebrdRzxyWmVHnzGE%3DYrH%2BhA6fg%40mail.gmail.com%3E">
   <META NAME="robots" CONTENT="index,nofollow">
   <style type="text/css">
       pre {
           white-space: pre-wrap;       /* css-2.1, curent FF, Opera, Safari */
           }
   </style>
   <META http-equiv="Content-Type" content="text/html; charset=us-ascii">
   <LINK REL="Previous"  HREF="000109.html">
   <LINK REL="Next"  HREF="000111.html">
 </HEAD>
 <BODY BGCOLOR="#ffffff">
   <H1>[99s-extend] Reading body_qs multiple times</H1>
    <B>rambocoder</B> 
    <A HREF="mailto:extend%40lists.ninenines.eu?Subject=Re%3A%20%5B99s-extend%5D%20Reading%20body_qs%20multiple%20times&In-Reply-To=%3CCAJ0zLRPYmtXEMd6G78D5Dc9-ebrdRzxyWmVHnzGE%3DYrH%2BhA6fg%40mail.gmail.com%3E"
       TITLE="[99s-extend] Reading body_qs multiple times">erlang at rambocoder.com
       </A><BR>
    <I>Tue Apr 16 02:13:44 CEST 2013</I>
    <P><UL>
        <LI>Previous message: <A HREF="000109.html">[99s-extend] Reading body_qs multiple times
</A></li>
        <LI>Next message: <A HREF="000111.html">[99s-extend] Reading body_qs multiple times
</A></li>
         <LI> <B>Messages sorted by:</B> 
              <a href="date.html#110">[ date ]</a>
              <a href="thread.html#110">[ thread ]</a>
              <a href="subject.html#110">[ subject ]</a>
              <a href="author.html#110">[ author ]</a>
         </LI>
       </UL>
    <HR>  
<!--beginarticle-->
<PRE>Loic,

After giving the CSRF middleware some thought and reading
<A HREF="https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF">https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF</A>)_Prevention_Cheat_Sheet#Disclosure_of_Token_in_URL
I
came to conclusion that it is best to just not create the middleware and
instead deal with CSRF on as needed basis.

I know that node's Connect middleware
<A HREF="http://www.senchalabs.org/connect/csrf.html#defaultValue">http://www.senchalabs.org/connect/csrf.html#defaultValue</A> for example allows
for the csrf token to be passed as a query string parameter, however, the
OWASP article made me think that it is not the most secure approach.

For example, AngularJS <A HREF="http://docs.angularjs.org/api/ng.$http">http://docs.angularjs.org/api/ng.$http</A> has a section
on how their AJAX component behaves to do CSRF out of the box, and they are
talking about the server sending a cookie XSRF-TOKEN that is not HttpOnly.
That makes me realize that csrf is a process more than just slapping some
middleware into the pipeline.

Btw, I noticed that when the result of the middleware execute function is:
{error, StatusCode, Req}
if I set the reply on the request via cowboy_req:reply before returning the
{error.. , the status code of that reply will be used.

Such as:
{ok, Req3} = cowboy_req:reply(403, [], &quot;Invalid CSRF Token.&quot;, Req2),
{error, 500, Req3}; % 500 is ignored, 403 is returned

Is that by design?

Sincerely,

rambocoder


On Mon, Apr 15, 2013 at 4:47 PM, Lo&#239;c Hoguin &lt;<A HREF="https://lists.ninenines.eu/listinfo/extend">essen at ninenines.eu</A>&gt; wrote:

&gt;<i> Why not just put the token in the URL instead? if it's CSRF then it's
</I>&gt;<i> probably used only once and only for POST and the like, so not cached or
</I>&gt;<i> anything.
</I>&gt;<i>
</I>&gt;<i>
</I>&gt;<i> On 04/15/2013 10:45 PM, rambocoder wrote:
</I>&gt;<i>
</I>&gt;&gt;<i> Hello group,
</I>&gt;&gt;<i>
</I>&gt;&gt;<i> I am trying to put together a CSRF middleware
</I>&gt;&gt;<i> <A HREF="https://github.com/rambocoder/**stable/commit/**">https://github.com/rambocoder/**stable/commit/**</A>
</I>&gt;&gt;<i> b26980d292ac42aadfe9921a961436**e28cdbb693&lt;<A HREF="https://github.com/rambocoder/stable/commit/b26980d292ac42aadfe9921a961436e28cdbb693">https://github.com/rambocoder/stable/commit/b26980d292ac42aadfe9921a961436e28cdbb693</A>&gt;and
</I>&gt;&gt;<i> if the body of the request contains &quot;_csrf&quot; token, I check to make sure
</I>&gt;&gt;<i> it matches the csrf token in the session.
</I>&gt;&gt;<i>
</I>&gt;&gt;<i> Currently I am doing it in middleware using cowboy_req:body_qs/1 however
</I>&gt;&gt;<i> when in the handler I need to read another body parameter, such as in
</I>&gt;&gt;<i> the rest_pastebin example:
</I>&gt;&gt;<i>
</I>&gt;&gt;<i> {ok, BodyQs, Req3} = cowboy_req:body_qs(Req),
</I>&gt;&gt;<i> Paste = proplists:get_value(&lt;&lt;&quot;paste&quot;&gt;**&gt;, BodyQs),
</I>&gt;&gt;<i>
</I>&gt;&gt;<i> cowboy_req:body_qs/1 returns [] due to the body of the request being
</I>&gt;&gt;<i> already read {body_state,done}
</I>&gt;&gt;<i>
</I>&gt;&gt;<i> Is it pointless to have the type of CSRF middleware that I am writing
</I>&gt;&gt;<i> and just do the CSRF in the handler's callback, where I can deal with
</I>&gt;&gt;<i> all the body_qs at once?
</I>&gt;&gt;<i>
</I>&gt;&gt;<i> Thank you,
</I>&gt;&gt;<i>
</I>&gt;&gt;<i> rambocoder
</I>&gt;&gt;<i>
</I>&gt;&gt;<i>
</I>&gt;&gt;<i> ______________________________**_________________
</I>&gt;&gt;<i> Extend mailing list
</I>&gt;&gt;<i> <A HREF="https://lists.ninenines.eu/listinfo/extend">Extend at lists.ninenines.eu</A>
</I>&gt;&gt;<i> <A HREF="http://lists.ninenines.eu:81/**listinfo/extend&lt;http://lists.ninenines.eu:81/listinfo/extend">http://lists.ninenines.eu:81/**listinfo/extend&lt;http://lists.ninenines.eu:81/listinfo/extend</A>&gt;
</I>&gt;&gt;<i>
</I>&gt;&gt;<i>
</I>&gt;<i>
</I>&gt;<i> --
</I>&gt;<i> Lo&#271;c Hoguin
</I>&gt;<i> Erlang Cowboy
</I>&gt;<i> Nine Nines
</I>&gt;<i> <A HREF="http://ninenines.eu">http://ninenines.eu</A>
</I>&gt;<i>
</I>&gt;<i>
</I>-------------- next part --------------
An HTML attachment was scrubbed...
URL: &lt;<A HREF="http://lists.ninenines.eu/archives/extend/attachments/20130415/59aaeef2/attachment.html">http://lists.ninenines.eu/archives/extend/attachments/20130415/59aaeef2/attachment.html</A>&gt;
</PRE>

<!--endarticle-->
    <HR>
    <P><UL>
        <!--threads-->
	<LI>Previous message: <A HREF="000109.html">[99s-extend] Reading body_qs multiple times
</A></li>
	<LI>Next message: <A HREF="000111.html">[99s-extend] Reading body_qs multiple times
</A></li>
         <LI> <B>Messages sorted by:</B> 
              <a href="date.html#110">[ date ]</a>
              <a href="thread.html#110">[ thread ]</a>
              <a href="subject.html#110">[ subject ]</a>
              <a href="author.html#110">[ author ]</a>
         </LI>
       </UL>

<hr>
<a href="https://lists.ninenines.eu/listinfo/extend">More information about the Extend
mailing list</a><br>
</body></html>