[Pkg-erlang-devel] Bug#570013: Bug#570013: RESTful interface for browser Javascript is insecure

Sam Bisbee sbisbee at computervip.com
Fri Feb 19 19:36:34 UTC 2010 

On Fri, Feb 19, 2010 at 08:23:01PM +0100, Florian Weimer wrote:
> * Sam Bisbee:
> 
> >> You cannot use a RESTful interface from a browser because it is open
> >> to CSRF attacks.  Using an HttpOnly cookie is not sufficient because
> >> some of our browsers do not support HttpOnly.
> >
> > I'm not sure I understand what you're referring to here. It seems
> > like you're worried that Futon will send some sort of malicious
> > attack to a Futon user.
> 
> The technical term here is "Cross-Site Request Forgery" (CSRF).

So, having done some more digging on CSRF (I knew it by a different name) I
don't see a viable solution. The most popularly touted solution is to use
tokens (randomly generated or otherwise) to "make sure that the request is
coming from a valid form".

This is flawed because it's still _very_ possible to get that token in
malicious code: just request the page, pull out the token, and send the
request. All of this is easily done in less time than it would take the user to
realistically fill out the form, thereby defeating timeouts.

Let me know if you have thought of any other solutions.

> >> Furthermore, couchdb serves back Javascript contained in database
> >> attachment back to the browser for execution, offering yet another
> >> attack vector which also affects browsers with HttpOnly support.
> >
> > What Javascript are you referring to?
> 
> The Javascript which was uploaded to the database, either through the
> CSRF bug above, or some other interface.  CouchDB should make it more
> difficult to bring that to execution in a browser (especially those
> using the Futon front end).

I'm not interested in "more difficult" unless it means "impossible". Put
another way, I'm not interested in security through obscurity because it simply
doesn't work.

> >> But lenny is exposed in a rather different way; it does not seem to
> >> offer any authentication at all.
> >
> > Authentication has been in development for couchdb for quite some
> > time, being applied in different stages over the releases.
> 
> It's still a bit gross to release an authentication-less database with
> lenny. 8-/

I have to disagree here as there are many use cases for couchdb and any other
database that don't require authentication, especially when couchdb is so good
at switching between online and offline. 

One of the things that I love about couchdb is that it's built to be modular,
including the authentication. That means that I can use it or not, and easily
plug in different protocols. Put another way, there's nothing stopping people
from plugging in authentication into couchdb or proxying through a web server
that provides authentication.

That being said, there is a lot more support for authentication in the later
versions of couchdb and I'm trying to get them into stable.

Thanks again for raising your concerns,

-- 
Sam Bisbee

More information about the Pkg-erlang-devel mailing list