[vlc-devel] [PATCH 0/2] mitigate CSRF and DNS rebinding attacks on httpd server.
Rémi Denis-Courmont
remi at remlab.net
Wed Jan 31 19:16:01 CET 2018
Le keskiviikkona 31. tammikuuta 2018, 19.38.00 EET Pierre Lamot a écrit :
> This series aim to mitigate CSRF and DNS rebinding attacks against the http
> interface.
That is a very reall problem, but nevertheless this seems to me like putting
the cart before the horses.
First, enforce POST for all non-indempotent requests. Then, you can think
about "newer" attacks like CSRF.
> CSRF is mitigated by checking Origin and Referer fields in the HTTP request.
> A proper implementation would also use a CSRF token mechanism, but this
> can't added to the current implentation without breaking the API.
It is true that session tokens or cookies would break the API. But so would
Origin and Referer header checks:
- A control app using hand-written code for HTTP will break.
- A control app using a non-web framework for HTTP will also break.
The only changes that can be made without breaking the API for external apps
are the hypothetical enforced ones by the browser / the client side. But then
again, those might break web-based control apps.
In other words, either we leave those gapping security holes open, or we break
the API. (I probably do not need to mention that I am in favor of the latter.)
--
雷米‧德尼-库尔蒙
https://www.remlab.net/
More information about the vlc-devel
mailing list