Apache Tapestry - CSRF Protection - First Prototype

To get in touch with tapestry internals I implemented a first draft of a CSRF protection mechanism based on a mixin and an annotation named Protected.

The mixin adds a hidden formtoken input field into a Form component - currently in a really ugly way. Additionally the formtoken is also stored in the session at the server side.

Protected - Mixin

package org.apache.tapestry5.csrfprotection.victimapp.mixins;

import java.util.List;
import java.util.UUID;

import org.apache.tapestry5.MarkupWriter;
import org.apache.tapestry5.dom.Element;
import org.apache.tapestry5.dom.Node;
import org.apache.tapestry5.ioc.annotations.Inject;
import org.apache.tapestry5.services.Request;

public class Protected {
 @Inject
 private Request request;

 void afterRender(MarkupWriter writer) {
  List<Node> nodes = writer.getElement().getChildren();
  for(Node node:nodes){   
   if(node instanceof Element && ((Element)node).getName().equals("form")){
    Element form = (Element) node;
    String token = UUID.randomUUID().toString();
    form.element("input", "type","hidden","name","formtoken","value",token);
    request.getSession(true).setAttribute("formtoken", token);
   }
  }
 } 
}

The value of the formtoken stored in the session is compared against the HTTP request parameter, if the event handler is annotated with the Protected annotation.

Protected - Annotation

package org.apache.tapestry5.csrfprotection.victimapp.annotations;

import static java.lang.annotation.ElementType.METHOD;
import static java.lang.annotation.RetentionPolicy.RUNTIME;

import java.lang.annotation.Documented;
import java.lang.annotation.Retention;
import java.lang.annotation.Target;

@Target(METHOD)
@Retention(RUNTIME)
@Documented
public @interface Protected {

}

The magic happens in the ProtectedWorker class, where the class transformation is done with the help of Plastic. The methods that have the @Protected annotation are enhanced with the comparison of the session parameter and the request parameter. In the case of an CSRF attack an exception is thrown.

ProtectedWorker

package org.apache.tapestry5.csrfprotection.victimapp.protection;

import org.apache.tapestry5.csrfprotection.victimapp.annotations.Protected;
import org.apache.tapestry5.model.MutableComponentModel;
import org.apache.tapestry5.plastic.MethodAdvice;
import org.apache.tapestry5.plastic.PlasticClass;
import org.apache.tapestry5.plastic.PlasticMethod;
import org.apache.tapestry5.services.Request;
import org.apache.tapestry5.services.Session;
import org.apache.tapestry5.services.transform.ComponentClassTransformWorker2;
import org.apache.tapestry5.services.transform.TransformationSupport;
import org.apache.tapestry5.plastic.MethodInvocation;

public class ProtectedWorker implements ComponentClassTransformWorker2 {
 private Request request;
 
 public ProtectedWorker(Request request){
  this.request = request;
 }
 public void transform(PlasticClass plasticClass,
   TransformationSupport support, MutableComponentModel model) {

  final MethodAdvice myLoggingAdvice = new MethodAdvice() {
   public void advise(MethodInvocation invocation) {
    
    String requestParam = request.getParameter("formtoken");
    String sessionParam = ""; // avoid null pointer exceptions
    Session session = request.getSession(false);
    if(session != null){
     sessionParam = session.getAttribute("formtoken").toString();
    }
    
    if(sessionParam.equals(requestParam)){
     invocation.proceed();
    }
    else{
     invocation.setCheckedException(new ProtectionException("CSRF Attack detected."));
     invocation.rethrow();
    }
   }
  };
  for (final PlasticMethod method : plasticClass
    .getMethodsWithAnnotation(Protected.class)) {
   method.addAdvice(myLoggingAdvice);
  }
 }
}

The exception class is currently trivial.

ProtectedException

package org.apache.tapestry5.csrfprotection.victimapp.protection;

public class ProtectedException extends Exception {
 public ProtectedException(String msg){
  super(msg);
 }

}

To make it run, the class transform configuratoin in the AppModule is required.

AppModule - Fragment

@Contribute(ComponentClassTransformWorker2.class)
    public static void provideTransformWorkers(
            OrderedConfiguration configuration,

            MetaWorker metaWorker,

            ComponentClassResolver resolver)
    {
     configuration.addInstance("Protected",ProtectedWorker.class);
    }

I just added the mixin in the html template of my sample applications and protected the onSuccess event handler.

Usage

<form t:type="form" t:id="statusForm" t:mixins="Protected">

@Protected
 private Object onSuccess(){
  history.getHistory().add(statusMessage);
  return this;
 }

CSRF - Attack

The sample attack that targets the form submit fails now with an exception:

m2eclipse import does not recognize Java projects

m2eclipse seem not to work so nice as thought after the first usage. Some projects are not recognized as Java projects.

Tapestry tests hanging with Firefox4

The automated selinum tests that are part of the test goal of Tapestry5 hang if Firefox 4 is used. By switching back to Firefox 3 the build completes.

m2eclipse

As suggested by Thiago H. de Paula Figueiredo I used the m2eclipse plugin which integrates maven multi module  projects better in Eclipse.

One problem still remain - the source directory setting of the plastic module/project.

It points to the root directory of the module.

With these settings it works.

The error seems to come from the pom.xml setting for sourceDirectory of the plastic module. 

Using Eclipse to compile Apache Tapestry source

Today I faced some problems when I created eclipse project files for Tapestry. There are several modules that result in separate Eclipse project files. Since there is a Maven pom.xml for the whole Tapestry project and for each project I used

mvn eclipse:eclipse -DdownloadSource=true

to generate initial project files. I used a separate workspace where I imported all projects of Tapestry. At first Eclipse was not able to compile them.

I identified two problems:

1. ArtefactID of tapestry-annotations is tapestry5-annotations. This resulted in an invalid classpath project reference to tapestry-5annotations. After manually modifying the build path settings for the tapestry-ioc and the tapestry-component-report projects that error was resolved. Seems that the pom.xml needs to be fixed to solve that problem, but this would probably cause many side effects.
   
   
2. The source directory configuration in the plastic project pom.xml just points to the project folder. This results in an invalid project configuration in Eclipse. By manually changing the project layout to use the src/test/java, src/main/java and src/external/java and target/maven-shared-archive-resources and removing the project root folder fixed the problem and the projects compile in Eclipse without any problem.

To demonstrate the CSRF vulnerability I have created a simple app called LittleChirp that allows to post a small status message for a logged in user.

The tapestry app behind is simple:

The Index.java and Index.tml files contain the Java class and the page template for the home page. 

public class Index 

{

@SessionState

@Property

private AuthenticationState auth;

@Property

private String username = "TestUser";




@Property

private String password = "Secret";

@InjectPage

private Status status;

@Log

private Object onSuccess(){

auth.setLoggedIn(true);

return status;

}

}




The status page puts the posted statusMessage into a History objects that acts as a wrapper for the status history and is stored in the session.


public class Status{

@Property
private String statusMessage;

@SessionState(create=true)
@Property
private History history;

@Log
private Object onSuccess(){
history.getHistory().add(statusMessage);
return this;
}

@SessionState
private AuthenticationState auth;

@InjectPage
private Index home;

@Log
private Object onActivate(){
if(!auth.isLoggedIn()){
return home;
}
return null;
}
}

If the user is not logged in a redirect to the home page is done. The Layout component contains the functionality to logout a user, which is included at each page that uses the layout.


 @InjectPage
private Index home;
 
    @Inject
    private Request request;
 
    @Log
public Object onActionFromLogout(){
auth.setLoggedIn(false);
request.getSession(false).invalidate();
return home;
}
}

The attack site, which demonstrates the CSRF vulnerability contains two attacks. 

Post request:

<form action="http://localhost:8080/victimapp/status.statusform" method="post">
<input type="hidden" name="statusMessage" value="My evil message, that maybe contains also some bad javascript code."/>
<input type="hidden" name="t:formdata" value="H4sIAAAAAAAAAFvzloG1XIxBJLgksaS02KoYTOWmFhcnpqcWFzGY5hel6yUWJCZnpOqVJBakFpcUVZrqJecXpeZkJuklJRan6jkmAQUTk0vcMlNzUlSCU0tKC1RDD3M/FD3+h4mB0YeBOzk/r6QoP8cvMTe1hEHIJyuxLFE/JzEvXT+4pCgzL926oqCEgRdisS/EYjwOciTVQQFF+clA3cGlSbmZxcWZ+XmH16WYpH2bd46JgaGiAAAF4Kgw/wAAAA==">
<input type="submit" value="Go"/>
</form>

If the "Go" button is pressed a status message update is sent to LittleChirp. This works if the user is currently logged in in the same browser. The t:formdata paramater is a token that is the same for all users and session and will only change if the component structure of the page is changed, it is no protection against CSRF.

GET request:
<a href="http://localhost:8080/victimapp/index.layout.logout"><img src="res/money.jpg" style="width:200px"/></a>

If the user can be tricked to click on the second image, the logout action of LittleChirp is executed. In this case it is not a big problem but on other sites some bigger functionality can behind such action links.

Google Summer of Code 2011!

I start this blog to document my progress for my Google Summer of Code 2011 project Cross-site request forgery protection for Apache Tapestry.

http://www.google-melange.com/gsoc/project/google/gsoc2011/mjung85/8001