Announcement

Collapse
No announcement yet.
X
Collapse
  • Page of 1
  • Filter
  • Time
Clear All
new posts
Previous template Next
    #1

    Csrf?

    Can anyone point me to how CSRF attacks can be avoided with SmartGWT EE?

    SmartClient version: v9.0p_2013-07-11EVAL

    Thanks!
    ,Chris
    Tags: None
    #2
    No different from any other system: define validators to constrain input and if HTML-special characters are allowed, enable escaping.

    Comment

      #3
      Thanks for the response. I'm not sure I understand it though.

      AFAIK, thwarting CSRF attacks requires a unique, short-lived token. Basic example usually has an html form with a hidden field that has a secure-random-token created with the page. The server then will only accept the form submit if it includes the token. And it will only accept the token one time. It forces the client (or attacker) to know something that only happens at the time the page renders.

      Do you mean that all we need in SmartGWT is good data input validation? That protects XSS and helps with CSRF but doesn't solve the same problem as the token. Is there something included automatically in SmartGWT's IDA calls that acts like the (traditional) CSRF token?

      Comment

        #4
        Sorry, read the acronym wrong. See the docs for RPCManager.actionURL, it mentions CSRF specifically, and it's trivial to deal with in SmartGWT.

        Comment

          #5
          Maybe I'm looking at the wrong javadoc? I don't see CSRF or XSRF here:
          http://www.smartclient.com/smartgwt/javadoc/com/smartgwt/client/rpc/RPCManager.html

          I also see this thread:
          http://forums.smartclient.com/showthread.php?t=22484&highlight=xsrf
          But I don't have the re-login issue mentioned there.

          Here's what I think I need to do.
          1. Generate an anti-CSRF token when the page containing my SmartGWT app is loaded. (store on server and client)
          2. Set RPCManager.actionURL explicitly for each call, including the token.
          3. Verify the token on the server somehow. I guess in my subclass of IDACall.

          ... I'm not sure the word "trivial" is helping me here :) ... Do you mean the token is automatically checked and I don't have to manage it myself? Or just that it's easy to put in the call once you use RPCManager.setActionURL(...)?

          Comment

            #6
            We're taking a look at the how the XSRF discussion got misplaced in the docs, but, your steps are correct except #2: all you need is the one call to setActionURL() at page load which adds the CSRF token, and every DataSource or RPCRequest headed to the SmartGWT server will be passing the token with no further effort on your part.

            So that part - the part involving SmartGWT - is trivial. You do of course still need to add CSRF token generation and checking.

            Comment

              #7
              Thanks for the help! :)

              The RPCManager javadoc shows...
              request.setActionURL("/rpcHandler.jsp");

              Do we have to put the token in as a request param?...
              request.setActionURL("/MyIDACallServlet?token=abc123");

              Or can the token be included as a POST parameter?

              Comment

                #8
                It needs to be a URL parameter since not all requests are POSTs.

                Comment

                Previous template Next
                Working...
                X