Issue A. CSRF Token Not Compared in Constant Time .
At 2014-05-05 13:05:36 Arturo Filastò wrote: Reported: 2014-04-10
Applies To: ooni-probe
Synopsis:
The CSRF token is not compared in constant time. It may be possible to extract CSRF tokens through a side channel attack to make cross-domain requests.
Impact:
An attacker, for example a malicious web page that the user visits, may be able
to perform Cross-Site Request Forgery attacks after learning the CSRF token.
These attacks could result in changes to ooni-probe's
configuration, or could
result in tests running without the user's consent.
Preconditions:
The attacker must be able to make requests from the user's browser to the
ooni-probe
server and time the response.
Feasibility:
The number of requests the attacker has to measure depends on the specific
implementation of Python's !=
operator, which we did not investigate.
Verification:
This issue was verified by inspecting the source code. We did not create a proof-of-concept exploit for this issue.
Technical Details:
The following code is used to check the CSRF token. It can be found in
ooni-probe/ooni/api/spec.py
.
def check_xsrf(method):
@functools.wraps(method)
def wrapper(self, *args, **kw):
xsrf_header = self.request.headers.get("X-XSRF-TOKEN")
if self.xsrf_token != xsrf_header:
raise web.HTTPError(403, "Invalid XSRF token.")
return method(self, *args, **kw)
return wrapper
The !=
operator compares strings byte by byte (or word by word), and stops
on the first difference. This small timing difference is usually enough to
extract the string being compared against by making repeated requests. It is
sometimes possible to do this timing measurement cross-domain.
Mitigation:
Current ooni-probe
users can mitigate this issue by turning off or disabling the
web administration pages.
This issue was automatically migrated from github issue https://github.com/TheTorProject/ooni-probe/issues/317