CSRF does not work in iframe.

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

CSRF does not work in iframe.

Bhuvan Gupta
Hello all,

 I create a allMonit.html which have two iframe with src of two different monit http interface running on two different system

allMonit.html structure
    <iframe src = "http://firstserver:2812"></iframe>
    <iframe src = "http://seconderver:2812"></iframe>

Now when i open allMonit.html in chrome , i see two monit interfaces. GREAT

Now if i try to let say "start a service" on one firstserver. I get invalid CSRF.

Upon investigation i found that without iframe the http request contains a cookiee header like 
Cookie:
securitytoken=6265d84a17c2715c7252c84d88a479cf
Where as http request from iframe does not include cookie header.

Upon further study, i found that since monit http response does not contain following header
Access-Control-Allow-Credentials: true
and hence browser will not transmit the cookie back to server.

Now the question arises:

QUESTION: How to configure monit to add addition http header

Thanks
Bhuvan





--
To unsubscribe:
https://lists.nongnu.org/mailman/listinfo/monit-general
Reply | Threaded
Open this post in threaded view
|

Re: CSRF does not work in iframe.

Bhuvan Gupta
Any help will be nice

On Thu, Sep 7, 2017 at 12:37 PM, Bhuvan Gupta <[hidden email]> wrote:
Hello all,

 I create a allMonit.html which have two iframe with src of two different monit http interface running on two different system

allMonit.html structure
    <iframe src = "http://firstserver:2812"></iframe>
    <iframe src = "http://seconderver:2812"></iframe>

Now when i open allMonit.html in chrome , i see two monit interfaces. GREAT

Now if i try to let say "start a service" on one firstserver. I get invalid CSRF.

Upon investigation i found that without iframe the http request contains a cookiee header like 
Cookie:
securitytoken=6265d84a17c2715c7252c84d88a479cf
Where as http request from iframe does not include cookie header.

Upon further study, i found that since monit http response does not contain following header
Access-Control-Allow-Credentials: true
and hence browser will not transmit the cookie back to server.

Now the question arises:

QUESTION: How to configure monit to add addition http header

Thanks
Bhuvan






--
To unsubscribe:
https://lists.nongnu.org/mailman/listinfo/monit-general
Reply | Threaded
Open this post in threaded view
|

Re: CSRF does not work in iframe.

martinp@tildeslash.com
Hello,

the Access-Control-Allow-Credentials is dangerous header.

Monit uses state-less double-submit-cookie pattern for CSRF defence: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#Double_Submit_Cookie ... the action will work when the request's "securitytoken" cookie and "securitytoken" http parameter will match - the value is not important, you can generate a new value for every request on client side (the defence is based in the fact, that the CSRF attacker cannot read nor set/modify the cookie value, so cannot set matching http parameter value).

Best regards,
Martin


> On 14 Sep 2017, at 06:13, Bhuvan Gupta <[hidden email]> wrote:
>
> Any help will be nice
>
> On Thu, Sep 7, 2017 at 12:37 PM, Bhuvan Gupta <[hidden email]> wrote:
> Hello all,
>
>  I create a allMonit.html which have two iframe with src of two different monit http interface running on two different system
>
> allMonit.html structure
>     <iframe src = "http://firstserver:2812"></iframe>
>     <iframe src = "http://seconderver:2812"></iframe>
>
> Now when i open allMonit.html in chrome , i see two monit interfaces. GREAT
>
> Now if i try to let say "start a service" on one firstserver. I get invalid CSRF.
>
> Upon investigation i found that without iframe the http request contains a cookiee header like
> Cookie:securitytoken=6265d84a17c2715c7252c84d88a479cf
> Where as http request from iframe does not include cookie header.
>
> Upon further study, i found that since monit http response does not contain following header
> Access-Control-Allow-Credentials: true
> and hence browser will not transmit the cookie back to server.
>
> Now the question arises:
>
> QUESTION: How to configure monit to add addition http header
>
> Thanks
> Bhuvan
>
>
>
>
>
> --
> To unsubscribe:
> https://lists.nongnu.org/mailman/listinfo/monit-general


--
To unsubscribe:
https://lists.nongnu.org/mailman/listinfo/monit-general
Reply | Threaded
Open this post in threaded view
|

Re: CSRF does not work in iframe.

Guillaume François
In reply to this post by Bhuvan Gupta
I don't think you can easilly bypass the csrf mechanism when using iframe, as one of its goal it to avoid this kind of usage (not related to monit), you will need several hack to allow it if you cannot disable at monit level.

Maybe document yourself about csrf could help to find hacks.

Le 14 sept. 2017 6:13 AM, "Bhuvan Gupta" <[hidden email]> a écrit :
Any help will be nice

On Thu, Sep 7, 2017 at 12:37 PM, Bhuvan Gupta <[hidden email]> wrote:
Hello all,

 I create a allMonit.html which have two iframe with src of two different monit http interface running on two different system

allMonit.html structure
    <iframe src = "http://firstserver:2812"></iframe>
    <iframe src = "http://seconderver:2812"></iframe>

Now when i open allMonit.html in chrome , i see two monit interfaces. GREAT

Now if i try to let say "start a service" on one firstserver. I get invalid CSRF.

Upon investigation i found that without iframe the http request contains a cookiee header like 
Cookie:
securitytoken=6265d84a17c2715c7252c84d88a479cf
Where as http request from iframe does not include cookie header.

Upon further study, i found that since monit http response does not contain following header
Access-Control-Allow-Credentials: true
and hence browser will not transmit the cookie back to server.

Now the question arises:

QUESTION: How to configure monit to add addition http header

Thanks
Bhuvan






--
To unsubscribe:
https://lists.nongnu.org/mailman/listinfo/monit-general

--
To unsubscribe:
https://lists.nongnu.org/mailman/listinfo/monit-general
Reply | Threaded
Open this post in threaded view
|

Re: CSRF does not work in iframe.

Petra Humann-2
In reply to this post by Bhuvan Gupta

> Am 07.09.2017 um 09:07 schrieb Bhuvan Gupta <[hidden email]>:
>
>  I create a allMonit.html which have two iframe with src of two different monit http interface running on two different system

Use apache2 with proxy:

ProxyPass /firstserver/ http://firstserver:2812/
ProxyPassReverse /firstserver/ http://firstserver:2812/
<Location /firstserver/>
          Require ip ...
          AuthName "Monitor"
          AuthType Basic
          AuthBasicProvider file
          AuthUserFile "..."  
          require valid-user
</Location>

The iframe contains the source of http[s]://monitoringserver/firstserver/.

Regards.
Petra Humann


--
To unsubscribe:
https://lists.nongnu.org/mailman/listinfo/monit-general