Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Vulnerable to cross-site token replay attack #6

Open
danielchatfield opened this issue Oct 6, 2014 · 0 comments
Open

Vulnerable to cross-site token replay attack #6

danielchatfield opened this issue Oct 6, 2014 · 0 comments

Comments

@danielchatfield
Copy link

I've detailed this quite a bit on the cs-raven-discuss mailing list (issue affected almost all client libraries).

If Alice visits eve.com and logs in with Raven then they expect that eve should not be able to reuse the raven token to authenticate as Alice on another site (which is the entire point of including the URL in the signed token). Eve can simply spoof the Host header on servers that are not configured for virtual hosts (e.g. the CL site) and trick the target site into thinking it is eve.com (and thus accept the token).

The way that the python library and my own wordpress plugin/php library are solving this (wordpress plugin not finished yet) is to require that the user either:

  • pass in some "trusted hosts" as a configuration value (attempts to raven auth to URLs not on the trusted hosts will fail
  • set a flag to trust all hosts (with a clear warning that this should only be used on servers that have been correctly configured to reject all but the expected hosts and that some servers will blindly parse other headers like X-Forwarded-Host so you have to be extra extra sure you know what you are doing.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant