CSP - users should not be able to preset the nonce value

UI Components for JSF
Post Reply
jsoft
Posts: 15
Joined: 03 May 2019, 12:29

08 Nov 2022, 17:30

Hi,
one of our applications was reviewed by a security advisor.
According to them, the possibility of changing the nonce value by modifying a request param (primefaces.nonce) is considered a security flaw.
I understand that this behavior is necessary because the partial ajax responses need to have the same nonce as the original pages
but
is there some better place to keep this value, one which cannot be touched by the user?
For example, right now I'm testing a modified CspState that stores and reads the nonce from the ViewMap. So far it seems it's working, but it needs more tests. I can provide the code or submit a PR if anyone wants to check.

Any opinion/idea?

Melloware
Posts: 3476
Joined: 22 Apr 2013, 15:48

12 Nov 2022, 14:39

I don't think so on the browser we really have two choices

1) the way we are doing it in the variable
2) in browser SessionStorage or LocalStorage but I believe both of those are editable to someone as ewll as someone having access to your browser console to change the PrimeFaces.CSP.Nonce value. So

Is your security advisors concern that someone could exploit something by having physical access to your browser and changing this value?
PrimeFaces Developer | PrimeFaces Extensions Developer
GitHub Profile: https://github.com/melloware
PrimeFaces Elite 12.0.0 / PF Extensions 12.0.3
PrimeReact 8.7.3

jsoft
Posts: 15
Joined: 03 May 2019, 12:29

12 Nov 2022, 19:23

I don't have access to the full PTVA report, but basically they told us:
  • nonce should be randomically generated -> OK
  • every response should have a differente nonce -> not possible because of partial responses
  • users should not be able to preset the nonce
It's considered a low level issue, but anyway I think it's resolvable, there are two possible solutions IMHO:
  • store and the read the nonce from the server, remove (or ignore) the request param
  • encrypt the nonce before sending to the client (like mojarra and myfaces do with viewstate), so we can safely read it from the request, checking the encryption
WDYT?

meanwhile, I think I have a small mitigation ready, I'll submit a PR soon

Melloware
Posts: 3476
Joined: 22 Apr 2013, 15:48

12 Nov 2022, 23:55

PR would be great so we can see what toyu have.
PrimeFaces Developer | PrimeFaces Extensions Developer
GitHub Profile: https://github.com/melloware
PrimeFaces Elite 12.0.0 / PF Extensions 12.0.3
PrimeReact 8.7.3


Melloware
Posts: 3476
Joined: 22 Apr 2013, 15:48

02 Dec 2022, 18:45

Thank you for the PR!
PrimeFaces Developer | PrimeFaces Extensions Developer
GitHub Profile: https://github.com/melloware
PrimeFaces Elite 12.0.0 / PF Extensions 12.0.3
PrimeReact 8.7.3

Post Reply

Return to “PrimeFaces”

  • Information
  • Who is online

    Users browsing this forum: No registered users and 11 guests