So, you wanna crypto (in AEM)
Damien Antipa (@visiongeist) Antonio Sanso (@asanso)
Adobe Research Switzerland
Who are these guys BTW Antonio Sanso
Software Engineer Adobe Research Switzerland
Committer and PMC Member for Apache Sling
VP (Chair) for Apache Oltu (OAuth Protocol Implementation in Java)
Internet Bug Bounty, Google Security Hall of Fame, Facebook Security Whitehat, GitHub Security Bug Bounty, Microsoft Honor Roll
What is Cryptography?
DISCLAIMER – I am not a cryptographer
Cryptography is the art of protecting information
JSON Web Token
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJhZW0iLCJzdWIiOiJhc2Fuc28iLCJleHAiOjE0MzUwNjg3MTEsImlhdCI6MTQzNTA2NTExMX0.MaGUiPg07ezuP9yAOaVLETQH6HMOpfoGwg_c0-PDw
{"alg":"HS256","typ":"JWT"} Header
Claims {"iss":"aem","sub":"asanso","exp":1435068711,"iat":1435065111}
Signature HMAC
★
CSRF – How does the attack work?
POST http://bank.com/transfer.do HTTP/1.1acct=BOB&amount=100
The Attack (Mallory Page)<form action="http://bank.com/transfer.do" method="POST">
<input type="hidden" name="acct" value=”ANTONIO"/><input type="hidden" name=amount" value="100000"/><input type="submit" value=”Show pictures"/>
</form>
Browsers make requests (with cookies) to any other origin
CSRF – AEM <= 6.0 ProtectionApache Sling Referrer Filter
White list of allowed referrerfor
POST/PUT/DELETE operations
Q. IS IT SAFE ? A. YES
CSRF – AEM <= 6.0 Protection
HTTP HTTPReferer
HTTPS HTTPSReferer
HTTP HTTPSReferer
HTTPS HTTP
<html><script>function load() { var postdata = '<form id=dynForm method=POST action=\'http://bank.com/transfer.do\'>' + '<input type=hidden name=acct value=ANTONIO />' + '<input type=hidden name=amount value=100000 />' + '</form>'; top.frames[0].document.body.innerHTML=postdata; top.frames[0].document.getElementById('dynForm').submit();}</script><body onload="load()">
<iframe src="about:blank" id="noreferer"></iframe></body></html>
CSRF – Token (Classic solution)
- Include a hidden form field <form action="http://bank.com/transfer.do" method="POST"> ... <input type="hidden" name="csrfToken" value=“ewqakjdsa”/> </form>
- Store the token server side in a database
- Check if the token match
- Not cachable !
- Not scalable !
Goals of the CSRF implementation★
- Easy to use- Transparent to application code- No dependencies- Auto refresh
- Available on author and publish- No leakage to other domain
- Browser support- IE8+
- Scalable and Cacheable- No sticky sessions- No HTTP Sessions
How to use it in a project
If you are building an admin UI based on Granite, you need to do:
NOTHING - we include it for you
If you are building an independent or public facing login, you to:
you need to add granite.csrf.standalone client library
In both scenarios your Javascript code does NOT need to do anything or be aware of the CSRF token.
Ensure Integrity and Caching
- Use JSON Web Token
- Sign using system HMAC key
- Validate the token using standard JWT validation
- Short expiration time
- Asynchronous update http://localhost:4502/libs/granite/csrf/token.json
Covered Communication
- HTML forms. Make sure the synchronous POST includes the TOKEN
- Make sure all non-GET AJAX calls include the token
- “Asynchronous” file upload for legacy IE.
Make sure that form submissions to dynamically created
iFrames include the TOKEN.
XMLHttpRequest.prototype.send = function(method) {
this.setRequestHeader('CSRF-Token', globalToken); send.apply(this, arguments);
};
function handleForm(ev) { var form = ev.target; if (form.nodeName.toLowerCase() === 'form') {
input = document.createElement('input'); input.setAttribute('type', 'hidden'); input.setAttribute('name', 'CSRF-Token'); input.setAttribute('value', globalToken); form.appendChild(input); }}
document.addEventListener( 'submit', handleForm, true /* capture phase */);
https://docs.adobe.com/docs/en/aem/6-0/develop/ref/javadoc/com/adobe/granite/crypto/CryptoSupport.html
https://docs.adobe.com/docs/en/aem/6-0/develop/ref/javadoc/com/adobe/granite/oauth/jwt/package-summary.html
Documentation
Questions?
Damien Antipa, Senior UX EngineerTwitter: @visiongeist
Antonio Sanso, Software EngineerTwitter: @asanso