App-HTTP_Proxy_IMP
view release on metacpan or search on metacpan
lib/App/HTTP_Proxy_IMP/IMP/CSRFprotect.pm view on Meta::CPAN
# PoC for CSRF protection
# see pod at the end for detailed description of the idea and references
use strict;
use warnings;
package App::HTTP_Proxy_IMP::IMP::CSRFprotect;
use base 'Net::IMP::HTTP::Request';
use fields (
'target', # target domain from request header
'origin', # domain from origin/referer request header
);
use Net::IMP qw(:DEFAULT :log);
use Net::IMP::Debug;
use Net::IMP::HTTP;
sub RTYPES { return (
IMP_REPLACE, # remove Cookie/Authorization header
IMP_LOG, # log if we removed something
IMP_DENY, # bad requests/responses
IMP_PASS,
)}
sub new_analyzer {
my ($class,%args) = @_;
my $self = $class->SUPER::new_analyzer(%args);
$self->run_callback(
# we will not modify response, but need to look at the response
# header to detect redirects. After the response header was seen
# this will be upgraded to IMP_PASS
[ IMP_PREPASS,1,IMP_MAXOFFSET]
);
return $self;
}
sub request_hdr {
my ($self,$hdr) = @_;
# modify if necessary, rest of request can be forwarded w/o inspection
my $len = length($hdr);
my @rv;
if ( defined( my $newhdr = _modify_rqhdr($self,$hdr))) {
push @rv, [ IMP_REPLACE,0,$len,$newhdr ];
}
$self->run_callback(@rv,[ IMP_PASS,0,IMP_MAXOFFSET ]);
}
sub response_hdr {
my ($self,$hdr) = @_;
# response header
_analyze_rphdr($self,$hdr);
$self->run_callback([ IMP_PASS,1,IMP_MAXOFFSET ]); # upgrade to IMP_PASS
}
{
# FIXME - should expire after a short time
# FIXME - for multi-process environments it needs to be shared
# between processes
# DELEGATION{FROM}{TO}: e.g. FROM delegated to TO by
# - having a POST request to TO with origin/referer FROM
# - having a redirect to TO in response from FROM
my %DELEGATION;
sub _delegate {
my ($origin,$target,$why) = @_;
if ( $DELEGATION{$origin}{$target} ) {
debug("refresh delegation $origin -> $target ($why)");
$DELEGATION{$origin}{$target} = 1;
} else {
debug("add delegation $origin -> $target ($why)");
$DELEGATION{$origin}{$target} = 1;
}
}
sub _delegation_exists {
my ($origin,$target) = @_;
return $DELEGATION{$origin}{$target};
}
lib/App/HTTP_Proxy_IMP/IMP/CSRFprotect.pm view on Meta::CPAN
# determine target
my (@target) = $hdr =~m{\A\w+[ \t]+http://$rx_host};
@target = _gethdr($hdr,'Host',$rx_host) if ! @target;
if ( ! @target or @target>1 ) {
$self->run_callback(
[ IMP_LOG,0,0,0,IMP_LOG_WARNING,
"cannot determine target from request\n".$hdr ],
[ IMP_DENY,0, "cannot determine target from request" ]
);
return;
}
# determine referer/origin domain
my @origin = _gethdr($hdr,'Origin',$rx_host_from_url);
@origin = _gethdr($hdr,'Referer',$rx_host_from_url) if ! @origin;
if ( @origin > 1 ) {
# invalid: conflicting origins
$self->run_callback(
[ IMP_LOG,0,0,0,IMP_LOG_WARNING,
"conflicting origins in request\n".$hdr ],
[ IMP_DENY,0, "conflicting origins in request" ]
);
return;
}
if ( ! @origin ) {
# we have no origin to check trust inside request
debug("no origin to check trust in request to @target");
} else {
# do nothing unless the request is cross-origin
$self->{origin} = $origin[0];
$self->{target} = $target[0];
return if $origin[0] eq $target[0];
# implicite trust when both have the same root-domain
my $origin = _rootdom($origin[0]);
my $target = _rootdom($target[0]);
if ( $origin eq $target ) {
debug("trusted request from $origin[0] to $target[0] (same root-dom)");
return
}
# check if this is a delegation (POST)
if ( $hdr =~m{\APOST } ) {
_delegate($origin,$target,'POST');
}
# consider the request trused if we got an earlier delegation from
# $target to $origin (e.g. in the other direction)
if ( _delegation_exists($target,$origin)) {
debug("trusted request from $origin to $target (earlier delegation)");
return
}
}
# remove cookies, because there is no cross-domain trust
# we should remove authorization header too, but then access to the
# protected site will probably not be available at all (see BUGS section)
my @del;
push @del,$1 while ( $hdr =~s{^(Cookie|Cookie2):[ \t]*(.*(?:\n[ \t].*)*)\n}{}im );
if (@del) {
$self->run_callback([
IMP_LOG,0,0,0,IMP_LOG_INFO,
"removed cross-origin session credentials (@del) for request @origin -> @target"
]);
# return changed header
return $hdr;
}
# nothing changed
return undef;
}
# find out if response header contains delegation through a redirect
sub _analyze_rphdr {
my ($self,$hdr) = @_;
# we are only interested in temporal redirects
$hdr =~m{\AHTTP/1\.[01] 30[237]} or return;
my @location = _gethdr($hdr,'Location',$rx_host_from_url)
or return; # no redirect
if ( @location > 1 ) {
# invalid: multiple conflicting redirects
$self->run_callback(
[ IMP_LOG,0,0,0,IMP_LOG_WARNING,
"conflicting redirects in response\n".$hdr ],
[ IMP_DENY,0, "conflicting redirects in response" ]
);
return;
}
my $location = $location[0];
my $target = $self->{target} or return;
return if $target eq $location; # no cross-domain
$target = _rootdom($target);
$location = _rootdom($location);
return if $target eq $location; # not considered cross-domain too
_delegate($target,$location,'redirect');
}
sub _gethdr {
my ($hdr,$key,$rx) = @_;
my @val;
for ( $hdr =~m{^\Q$key\E:[ \t]*(.*(?:\n[ \t].*)*)}mgi ) {
s{\r\n}{}g;
s{\s+$}{};
s{^\s+}{};
push @val, m{$rx};
}
my %v;
return grep { ! $v{$_}++ } @val;
}
BEGIN {
if ( eval { require WWW::CSP::PublicDNSSuffix } ) {
*_rootdom = sub {
my ($rest,$tld) = WWW::CSP::PublicDNSSuffix::public_suffix( shift );
return $rest =~m{([^.]+)$} ? "$1.$tld" : undef;
}
} elsif ( eval { require Mozilla::PublicSuffix }) {
*_rootdom = sub {
my $host = shift;
my $suffix = Mozilla::PublicSuffix::public_suffix($host);
return $host =~m{([^\.]+\.\Q$suffix)} ? $1:undef,
}
} elsif ( my $suffix = eval {
require Domain::PublicSuffix;
Domain::PublicSuffix->new
}) {
*_rootdom = sub { return $suffix->get_root_domain( shift ) }
} else {
die "need one of Domain::PublicSuffix, Mozilla::PublicSuffix or WWW::CSP::PublicDNSSuffix"
}
}
1;
__END__
=head1 NAME
App::HTTP_Proxy_IMP::IMP::CSRFprotect - IMP plugin against CSRF attacks
=head1 DESCRIPTION
This plugin attempts to block malicious cross-site requests (CSRF), by removing
session credentials (Cookie, Cookie2 and Authorization header) from the request,
if the origin of the request is not known or not trusted.
The origin is determined by checking the Origin or the Referer HTTP-header of
the request.
An origin O is considered trusted to issue a cross-site request to target T, if
=over 4
=item *
O is the same as T
=item *
O and T share the same root domain (which should not be a public suffix)
=item *
there was an earlier delegation from T to O
=back
Delegation from T to O means, that
=over 4
=item *
a POST request to target O with origin T
=item *
or a redirect to O within the HTTP response from T
=back
This module is based on ideas described 2011 in the paper
"Automatic and Precise Client-Side Protection against CSRF Attacks" from
Philippe De Ryck, Lieven Desmet, Wouter Joosen, and Frank Piessens.
=head1 BUGS
This module is a proof of concept.
Contrary to the initial goal, currently no Authorization HTTP header will be
removed. While for session authorization with cookies, there is a fallback page
on failed authorization, no such page exists for HTTP authorization.
Instead the HTTP server will issue again and again "407 authorization required"
because the request would still be Cross-Site or No-Site (e.g. no Origin/Referer
header) and thus CSRF protection would apply.
This would not only stop cross-site accesses to the protected site completly,
but also access from bookmarks et. al. (e.g. No-Site request).
Missing essential functionality is the expiring of information about previous
delegations after a short time, so that they need to be refreshed before the
next cross-site request is allowed.
=head1 AUTHOR
Steffen Ullrich <sullr@cpan.org>
( run in 2.044 seconds using v1.01-cache-2.11-cpan-39bf76dae61 )