Comments (7)
Did this "logUnauthorized" ever get committed and released? Doesn't look like it, it's not in the docs, and as I'm running Crumb 6.0.3 and get an error when I try including that option in the plugin registration.
It would be useful because I'm suddenly seeing crumb not working any more, possibly due to some issue with latest hapi version.
from crumb.
Some people argue that "Security through obscurity is not security". In the present case, it is obvious to an attacker that a csrf token has to be provided (crumb sets a cookie...) and as easy to detect that the cookie/header may be missing from the request. It would be also possible to determine that the request was rejected in an early stage of its processing by a statistical analysis of the response time...
Anyways, having a server side log message that displays exactly why the csrf did not pass would be good enough imo (and could also facilitate the detection of attacks). If you choose to do this, make sure that you print a different message when the cookie is missing and than when the one present does not match the token in the headers.
from crumb.
@matthieusieben this is a touchy issue for a security related module, as giving a detailed forbidden message essentially leaks data to potential attackers
that being said, I could investigate writing a server side log message to make debugging easier
from crumb.
Ok adding the server side logging right now with a 'logUnauthorized' option to trigger it. Also good point on this being handy for monitoring
from crumb.
@jonathansamines you'll find #112 and #113 which add the logUnauthorized capability in master for hapi 17, and I pushed a 6.x.x branch for those still on hapi 16.
from crumb.
Fixed by #112
from crumb.
This thread has been automatically locked due to inactivity. Please open a new issue for related bugs or questions following the new issue template instructions.
from crumb.
Related Issues (20)
- How does the check between the cookie and the header actually work? HOT 5
- Publish version 7.2.0 to npm HOT 6
- Getting a deprecation warning when installing HOT 2
- cookie not being parsed into request.headers instead still in request.state.crumb HOT 2
- unable to implement crumb for csrf protection in application with api's developed using hapi and front end developed using angular HOT 3
- Suggest to secure cookie by default in documentation HOT 3
- Change module namespace HOT 1
- Action required: Greenkeeper could not be activated 🚨 HOT 1
- Update deps HOT 1
- Update joi HOT 1
- Per-Request VS Per-Session option? HOT 4
- support legacy cookies for samesite policy in iframe HOT 1
- Only node 12
- Change plugin name to @hapi/crubm
- Drop hapi v17 and v18
- isSecure settings are not working HOT 1
- Plugin strips security headers HOT 3
- Unable to add crumb token to payload with h2o2 proxy HOT 3
- HMAC based token pattern
- PUT / DELETE requests don't do crumb validation
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from crumb.