[vlc-devel] [PATCH 0/2] mitigate CSRF and DNS rebinding attacks on httpd server.
remi at remlab.net
Thu Feb 1 18:30:47 CET 2018
Le jeudi 1 février 2018, 11:16:06 EET Pierre Lamot a écrit :
> > First, enforce POST for all non-indempotent requests. Then, you can think
> > about "newer" attacks like CSRF.
> I agree, though enforcing POST requests is breaking the API. I think this
> should be done in the long run, but as we start breaking the API we should
> also add CSRF token and other things (TBD)
Enforcing POST is *fixing* the API. Using GET for nonidemportent requests is
not so much insecure as it is unsafe.
> > It is true that session tokens or cookies would break the API. But so
> > would
> > Origin and Referer header checks:
> > - A control app using hand-written code for HTTP will break.
> > - A control app using a non-web framework for HTTP will also break.
> Browsers provide Referer and/or Origin header in their requests (even GET).
> Control/Other app will unlikely provides theses header, my patch accept the
> requests when none of theses header are provided.
It is trivial for an attacker to prevent the Referer line from being informed,
given that the VLC HTTP interface always runs in non-secure mode: it just has
to supply the attacking page over a secure channel.
Your patch is vain since it relies on the user configuring the permitted
hostnames - which realistically will almost never happen. And it puts the
validation in the server code when it belongs in the UI backend.
More information about the vlc-devel