inverse-inc / packetfence

PacketFence is a fully supported, trusted, Free and Open Source network access control (NAC) solution. Boasting an impressive feature set including a captive-portal for registration and remediation, centralized wired and wireless management, powerful BYOD management options, 802.1X support, layer-2 isolation of problematic devices; PacketFence can be used to effectively secure networks small to very large heterogeneous networks.
https://packetfence.org
GNU General Public License v2.0
1.39k stars 292 forks source link

Implement XSRF for the admin #2340

Open tlaurion opened 7 years ago

tlaurion commented 7 years ago

Would it be a good way? Catalyst::Controller::RequestToken

Also, the admin session is kept alive for a day? Why the default is so high?

jrouzierinverse commented 7 years ago

Had a discussion with @tlaurion about approaches.

We came up with the following approach.

For each request in a session a token is created. This token is added to a header and sent to the client. Also the token is added to the allowed tokens for this session.

Any destructive or resource intensive action such as update, remove, and sql searches will require a valid session token to be placed in a header.

Reads will not require a valid token to allow a user to refresh pages and have multiple pages open.

Any destructive action will accept any token created for a session.

Each destructive request would need to add the token header via javascript.

Things that can or should be explored

tlaurion commented 7 years ago

General recommendation: Developers are encouraged to make use of both the JavaScript DOM Manipulation and the JSP tag library strategies for a complete token injection strategy. The JavaScript DOM Manipulation strategy is ideal as it is automated and requires minimal effort on behalf of the developer. SRC: OWASP

On using Pluck middleware to fix XSRF through DOM Manipulation strategy in perl under Catalyst: As far as fixing this goes, I was still looking for a solution to fix this in one place. The app is big enough on JS that I wasn't about to scour for every GET and fix this manually. It turns out that jQuery has a solution for this as well, courtesy of StackOverflow: SRC: blogs.perl.org