[99s-extend] Reading body_qs multiple times

[rambocoder]

Loic,

After giving the CSRF middleware some thought and reading
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#Disclosure_of_Token_in_URL
I
came to conclusion that it is best to just not create the middleware and
instead deal with CSRF on as needed basis.

I know that node's Connect middleware
http://www.senchalabs.org/connect/csrf.html#defaultValue for example allows
for the csrf token to be passed as a query string parameter, however, the
OWASP article made me think that it is not the most secure approach.

For example, AngularJS http://docs.angularjs.org/api/ng.$http has a section
on how their AJAX component behaves to do CSRF out of the box, and they are
talking about the server sending a cookie XSRF-TOKEN that is not HttpOnly.
That makes me realize that csrf is a process more than just slapping some
middleware into the pipeline.

Btw, I noticed that when the result of the middleware execute function is:
{error, StatusCode, Req}
if I set the reply on the request via cowboy_req:reply before returning the
{error.. , the status code of that reply will be used.

Such as:
{ok, Req3} = cowboy_req:reply(403, [], "Invalid CSRF Token.", Req2),
{error, 500, Req3}; % 500 is ignored, 403 is returned

Is that by design?

Sincerely,

rambocoder



On Mon, Apr 15, 2013 at 4:47 PM, Loïc Hoguin <essen at ninenines.eu> wrote:

> Why not just put the token in the URL instead? if it's CSRF then it's
> probably used only once and only for POST and the like, so not cached or
> anything.
>
>
> On 04/15/2013 10:45 PM, rambocoder wrote:
>
>> Hello group,
>>
>> I am trying to put together a CSRF middleware
>> https://github.com/rambocoder/**stable/commit/**
>> b26980d292ac42aadfe9921a961436**e28cdbb693<https://github.com/rambocoder/stable/commit/b26980d292ac42aadfe9921a961436e28cdbb693>and
>> if the body of the request contains "_csrf" token, I check to make sure
>> it matches the csrf token in the session.
>>
>> Currently I am doing it in middleware using cowboy_req:body_qs/1 however
>> when in the handler I need to read another body parameter, such as in
>> the rest_pastebin example:
>>
>> {ok, BodyQs, Req3} = cowboy_req:body_qs(Req),
>> Paste = proplists:get_value(<<"paste">**>, BodyQs),
>>
>> cowboy_req:body_qs/1 returns [] due to the body of the request being
>> already read {body_state,done}
>>
>> Is it pointless to have the type of CSRF middleware that I am writing
>> and just do the CSRF in the handler's callback, where I can deal with
>> all the body_qs at once?
>>
>> Thank you,
>>
>> rambocoder
>>
>>
>> ______________________________**_________________
>> Extend mailing list
>> Extend at lists.ninenines.eu
>> http://lists.ninenines.eu:81/**listinfo/extend<http://lists.ninenines.eu:81/listinfo/extend>
>>
>>
>
> --
> Loďc Hoguin
> Erlang Cowboy
> Nine Nines
> http://ninenines.eu
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ninenines.eu/archives/extend/attachments/20130415/59aaeef2/attachment.html>