Hi,
one of our applications was reviewed by a security advisor.
According to them, the possibility of changing the nonce value by modifying a request param (primefaces.nonce) is considered a security flaw.
I understand that this behavior is necessary because the partial ajax responses need to have the same nonce as the original pages
but
is there some better place to keep this value, one which cannot be touched by the user?
For example, right now I'm testing a modified CspState that stores and reads the nonce from the ViewMap. So far it seems it's working, but it needs more tests. I can provide the code or submit a PR if anyone wants to check.
Any opinion/idea?
CSP - users should not be able to preset the nonce value
I don't think so on the browser we really have two choices
1) the way we are doing it in the variable
2) in browser SessionStorage or LocalStorage but I believe both of those are editable to someone as ewll as someone having access to your browser console to change the PrimeFaces.CSP.Nonce value. So
Is your security advisors concern that someone could exploit something by having physical access to your browser and changing this value?
1) the way we are doing it in the variable
2) in browser SessionStorage or LocalStorage but I believe both of those are editable to someone as ewll as someone having access to your browser console to change the PrimeFaces.CSP.Nonce value. So
Is your security advisors concern that someone could exploit something by having physical access to your browser and changing this value?
PrimeFaces Developer | PrimeFaces Extensions Developer
GitHub Profile: https://github.com/melloware
PrimeFaces Elite 13.0.0 / PF Extensions 13.0.0
PrimeReact 9.6.1
GitHub Profile: https://github.com/melloware
PrimeFaces Elite 13.0.0 / PF Extensions 13.0.0
PrimeReact 9.6.1
I don't have access to the full PTVA report, but basically they told us:
meanwhile, I think I have a small mitigation ready, I'll submit a PR soon
- nonce should be randomically generated -> OK
- every response should have a differente nonce -> not possible because of partial responses
- users should not be able to preset the nonce
- store and the read the nonce from the server, remove (or ignore) the request param
- encrypt the nonce before sending to the client (like mojarra and myfaces do with viewstate), so we can safely read it from the request, checking the encryption
meanwhile, I think I have a small mitigation ready, I'll submit a PR soon
PR would be great so we can see what toyu have.
PrimeFaces Developer | PrimeFaces Extensions Developer
GitHub Profile: https://github.com/melloware
PrimeFaces Elite 13.0.0 / PF Extensions 13.0.0
PrimeReact 9.6.1
GitHub Profile: https://github.com/melloware
PrimeFaces Elite 13.0.0 / PF Extensions 13.0.0
PrimeReact 9.6.1
Thank you for the PR!
PrimeFaces Developer | PrimeFaces Extensions Developer
GitHub Profile: https://github.com/melloware
PrimeFaces Elite 13.0.0 / PF Extensions 13.0.0
PrimeReact 9.6.1
GitHub Profile: https://github.com/melloware
PrimeFaces Elite 13.0.0 / PF Extensions 13.0.0
PrimeReact 9.6.1
-
- Information
-
Who is online
Users browsing this forum: No registered users and 32 guests