How do I implement the CSFR security enhancement in my existing Grails project? I have read that I have to use token in form and modify the query string. I do not think it is best solution because in my project there are a lot of submit forms and many controllers.
The fact is you are going to have to change the way you submit forms and add in the token to each of the forms and change your controllers to check the token. If you want CSFR protection you'll have to touch all of those places.
Fortunately Grails offers useToken and withForm to help take care of the implementation for you. You just have to put it in where you want it.
You can read more about this in the documentation.
Related
I was told that there is no need to put the ValidateAntiForgery mechanism on our razor form because it's not behind authentication and is totally open to the public.
I thought I read somewhere that it should be used on all POSTs.
Which is correct?
There are a number of articles which can tell you when and where it is most appropriate to use the AntiForgeryToken. Here's a few:
http://www.devcurry.com/2013/01/what-is-antiforgerytoken-and-why-do-i.html
http://blog.stevensanderson.com/2008/09/01/prevent-cross-site-request-forgery-csrf-using-aspnet-mvcs-antiforgerytoken-helper/
http://peterkellner.net/2014/05/19/asp-net-mvc-forms-need-include-html-antiforgerytoken-security/
The last one is explicit, the author recommends that you should use the feature for all forms. It will be generally beneficial to your entire website, provided that you care about the identity of your users.
If your users have no session, and there is nothing to be gained from hijacking their ASP.NET cookie, then the anti forgery token is not particularly useful.
I am looking at the HDIV framework to implement it in my Grails application. Looks like the framework is more user friendly to Struts/java based applications. They do say it can be configured on other frameworks. This is what it exactly says:
It is possible to use HDIV in applications that don’t use Struts 1.x, Struts 2.x, Spring MVC or JSTL, but in this case it is necessary to modify the application (JSP pages).
I see that we need to modify the editable and non editable data being sent to the server (one of the strategies is to cypher code the hidden field and add a state parameter to link urls.)
And in the response we get back this data and use a validate() function to do integrity checks.
The sample grails-HDIV project on GITHUB is really basic with no details.
Has anyone implemented it on grails?
Thanks
Priyank
I've just written a plugin for this very thing. I'll see if my company will let me release it and if so I'll inform you.
I'm working with my team to create an enterprise level web application with Grails, but I don't see any "out of the box" solution to dealing with browser history when using grails with AJAX. Can someone point me to some documentation so that I can nail this?
Thanks a ton.
Grails is predominantly a server-side framework. All it provides in terms of client-side functionality are some tags to make it easy to call the server via AJAX. I'm not aware of any functionality in the core framework to support using the back/forward buttons when AJAX calls are made.
You might find something in a plugin, but I doubt it. Your best bet is to look for this functionality in whichever JS library you're using (YUI, JQuery, Dojo, etc.)
Typically this is done by changing the location.hash property on the page. This corresponds to a string you can add after the current url with a #. Adding or modifying this part of the URL will keep you on the same page, but add an additional history entry.
The jQuery BBQ plugin is a very useful framework to manage the hash. It contains a number of useful methods to manage the hash property as key/value pairs, the same way the regular URL query string works.
What are security issues in asp.net mvc?! and does MVC solved XSS and the others?!
As jfar says: watch out for SQL injection. :-)
It helps by allowing you to use some specific pieces, but you still have to use them in appropriate places.
Use the new default <%: that Html Encodes the output
Use the anti forgery request token
Use Any of the provided data access solutions. At the lowest possible level, use .Parameters to pass parameters
Pay attention to every bit of guidance
don't dismiss security advisory published, as the recent one affecting asp.net in general: is-asp-net-mvc-vulnerable-to-the-oracle-padding-attack
You still have to understand & question the security aspects.
The same as any other website. Just like any other language or framework Sql Injection and Request Forgery are only solved if you implement measures to prevent it. XSS is solved only if you don't need to accept HTML input and disable XSS validation.
Don't get soft thinking MS provided all the answers. It still takes a keen eye for flaws and a rigid application of counter measures to keep things secure.
As a relative newcomer to both web and MVC, I am looking for a good summary of security best practices that I should implement.
The site will be public facing with "moderately sensitive data" (meaning we can't get sued, but probably wouldn't make many friends if the data got out!) and will have the following security steps taken:
a: Forms/membership authentication and authorization
b: Parameterized queries to prevent sql injection.
c: Automatic timeout with x min of inactivity
c: SSL for client to server encryption
What else do you recommend?
*Securing IIS and the network don't fall under my domain, so I'm more interested in the things I need to do to the software.
If you are using cookies to recognize users, be sure to use an arbitrary token (such as a GUID) to store on the client for identification. I've seen too many websites that store my email address or username in my cookie... just have to change it to another!
Write your software so that it can run under medium trust.
If you are new to web development you should be aware of cross site scripting (XSS). You can use Http.Encode helper method to protect against this in ASP.NET MVC.
Make sure you prevent out of order requests. Ensure client is authenticated before allowing to see sensitive data, or in some cases, make sure the client has come through the correct channel, before allowing a data manipulation. For example, only allow adding an item to your cart if the request came from the product details page. If you don't check, any one can mess around with the action. The URL would be like http://server/cart/add/XYZ123 and anyone could just tweak the 'id' parameter.
Here's another biggie to watch out for: CSRF
http://blog.codeville.net/2008/09/01/prevent-cross-site-request-forgery-csrf-using-aspnet-mvcs-antiforgerytoken-helper/
Take a look at this post by Phil Haack- one of the MS dev’s involved in the development.
Additionally take a look at Microsoft Anti-Cross Site Scripting Library to filter out all incoming parameters
Maybe you should choose methods that can be invoke from outside or not. For example be careful make a method like delete any tables like http://yourhost.com/edit/deletealltable.
Make sure you design your class and methods well. And give attributes [NonAction] for preventing public method being invoke.
Make sure you display data (especially sensitive) as you need with minimum fancy design and use client script as long as needed.
Remove any unused trash files like unused files in your solution folder.
Check and double check and validate any input control like textbox. I just can give something in the textbox to hack your system.
If you use mix between MVC and regular ASP.NET, please remove any dependency between them.
Be sure you cover the basics thoroughly, independently of ASP.NET. Make sure your DBMS has a separate user with the minimal required privileges (e.g., CRUD and executing sprocs from specified databases) set up to access the database from the web application. Parameterizing queries is an excellent idea, but ALWAYS SCRUB YOUR INPUT ANYWAY: it is not a complete defense against sql injection.
Keep your design clean and easy to understand. Document whatever you do clearly, especially on the database side. It would be very bad if all your good work were destroyed by two programmers months or years later--one who didn't realize, say, that the database user for the web application (now accessing a database on a different server) shouldn't have root privileges, and another who added a control that didn't cleanse input properly. There's only so much that can be done about this sort of thing, but designing for the possibility that fools will be maintaining your code isn't so that coders will think you're sweet--it's so that fools won't put you out of business.