All geek questions in one place

Passing anti-CSRF for user login to the site when you know their username and password

That sounds a little spiteful, bear with me. This is also not a specific Rails issue, although both sites use Rails. (I apologize in advance for both of these things)

Imagine two websites that use Ruby on Rails:

  • mysite.com, on which I am a developer and have full access in terms of changing the code, etc., and also has an administrator login, so I can manage user accounts.

  • theirsite.com, on which I have an administrator login, but do not have access to dev. I know the people who manage it, but I would not ask them for any benefits for political reasons. However, this is an option.

Using my administrator login on each site, I made a user account for the same person. When they logged in to mysite.com, I would like to provide a button that records them directly to my site. I have my username and password for their website stored in their user record in the mysite.com database to facilitate this. The button is a submit button for the form, which duplicates the form on the login page on yoursite.com, with hidden fields for the username and password.

A stumbling block is that theirsite.com handles CSRF with the variable authenticity_token , which does not check when the login is sent from mysite.com.

My first attempt to get past this was in the mysite.com controller, which loads a form page to clear the login page on yoursite.com to get an authentication token, and then connect it to my form. But that does not work.

If I load the login page on yoursite.com and the mysite.com page with a remote login button in two browser tabs and manually copy the token authenticity from yoursite.com form to mysite.com form, then it works, This is because (I think) , the_token authenticity is connected to my session with a cookie, and when I do all this in one browser, the session is the same, but when I get the authenticity token from yoursite.com via scrambling (using Nokogiri, but I could use curl instead) it not the same session.

Question A) So, I think I also need to set a cookie so that the session matches between the browser and the Nokogiri request that I make. But this may not be possible, and it is precisely that the anti-CSRF system was designed to defeat. Is that the case?

Question B) Let me say that, despite the policy, I need to ask the owner of yoursite.com to make small changes to allow me to register our users on yoursite.com when we know theirsite.com username and password . What would be the smallest, safest change I could ask to make to allow this?

Please do not hesitate to say: "Come off the fact that you are evil black", I think this is the right answer. The question is a bit dodgy.

+6
source share
4 answers

A) No, this is not possible because CSRF protection is protected from actions such as these. So, " Descend that you are an evil devil "

According to the question, I assume their sitesite uses Rails (v3 or v4)

B) The smallest change you could ask is to take a special action for you so that you can transfer user credentials from your internal server and the user will be registered from their inclusion.

This action will work something like this:

You will have a special code that will be transmitted using credentials so that the request is verified on their servers. This code can be either a static predefined code, or it can be generated based on minutes / hour / day with the same algorithm on both sites.

The function that you ask to do for you will be like this:

Rails v3 and v4:

This action will only be POST.

 #I'm supposing 'protect_from_forgery' is already done in theirsite.com class ApplicationController < ActionController::Base protect_from_forgery end #changes to be made are here as follows class SomeController < ApplicationController skip_before_filter :verify_authenticity_token, only: [:login_outside] #this turns off CSRF protection on specific actions def login_outside if(#check special code here) #Their login logic here end end end

Check this link for more information on skipping CSRF protection in Rails.

Rails 4 RequestForgeryProtection

+3
source

It should not be too complicated.

You need to send the ajax GET request to your registration page, copy the token authenticity using javascript, and then send the ajax POST to the actual login route, which creates a session with the correct credentials and authenticity_token.

One tricky part is figuring out their log in the route. Try /sessions/new or maybe they have a url in the form, so look at the html there. Good luck

Another tricky part is knowing how parameters are typically sent. Check out the html form. If all input tags have user_ in front of their name, you will need to structure your parameters in the same way; those. user_email , user_password .

You can fully get the crsf token and submit your own form (because the login page is accessible to everyone!). However, it will be difficult to know the details of their location. Guessing and checking is not that bad of the parameters (again, /sessions/new is the way I direct my login, you should also try your route to see if they have one.)

If that doesn't work, try a look at your github account! It is very possible that they did not pay $ 7 a month, and this is open to the public. You can easily view their routes and parses this way.

Good luck

+2
source

It's impossible. Anti-csrf works the way you send a cookie to a user and enter a token as a hidden field in the form; if the token matches the cookie form message. Now, if you run the form on your side, you cannot set a cookie (since a cookie can only be set in the domain of its origin).

If your site has only some specific action, you can leave with browser automation. (i.e. server side launch browser, script action and execute it).

As for B) the safest and smallest change is the contradiction :) The smallest change would be to create a POST request handler on their side, where you will send a username and password (this handler should work via https) and it will create an auth cookie on their side.

As for the safest one - the whole concept of storing encrypted (non-hashed) passwords is doubtful at best (would you like your site to be listed here http://plaintextoffenders.com/ ?). Also, if the user changes his password on his side, you are screwed. The safe solution will be that you will only store the 3rd UserID user on your side, and you will send the asymmetrically encrypted UserID with Timestamp to your side (you will encrypt it with your private key). They will decrypt it (they will have to have a public key), confirm if timestamp is not old, and if they will not create an auth cookie for this user ID. There are also protocols for this (e.g. SAML).

0
source

A) What you are trying to do is really a form of CSRF attack.

The idea of โ€‹โ€‹a fake attack using a cross-site request is that an attacker tricks the browser to perform an action as a user on some site, like a user who uses the site. The user is usually identified by the session identifier stored in the cookie, and cookies are sent automatically. This means that without protection, an attacker will be able to perform actions on the target site.

To prevent CSRF, a site typically includes an anti-CSRF token on pages that is session bound and sent in requests made from a legit site. This works because the token is unpredictable and the attacker cannot read the value of the marker from the legitimate pages of the site.

I could point out different ways to protect CSRF, but they all depend on the incorrect implementation of the anti-CSRF mechanism. If you succeed in doing this, you have discovered a security vulnerability on yoursite.com.

For more information about CSRF, see https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF) .

C ) The smallest change that sitesite.com can make is to disable CSRF security verification for the login page.

CSRF protection depends on unpredictability of requests and for login pages, the secret password itself protects against CSRF. Additional verification through the anti-CSRF token is not required.

0
source

Source: https://habr.com/ru/post/973152/

More articles:


All Articles