Tuesday, October 31, 2017

Re: RequestBuilder, safely send data to server

HI Thomas, are the GWT methods XsrfProtectedService on client side and XsrfProtectedServiceServlet on server side still experimental? The GWT documentation has described csrf protection in detail using them... Can I follow that?

On Thursday, 2 March 2017 17:19:11 UTC+2, Thomas Broyer wrote:

On Thursday, March 2, 2017 at 8:01:18 AM UTC+1, gitzzz wrote:
Hi! I use RequestBuilder for client-server communication. And I have some questions:

For example we make http request to ".../get.php"(function(), select some data from DB and send it back).  Response is an array[1,2,3,4,5]

On client side onTheButtonClick we can change the data, the new_array[1,3,6,8,9], and now we need to send this changes to DB. And onSaveButtonClick() we make http post request to ".../set.php" with parameters = new_array

The question is: does it safe? Is it possible that anybody authed user can make this call by creating JS script with http post request and send his own(fake) data?(e.g. fake_array[10,20,30,23,12]) without clicking a button. How can I send change data from client side to a server safely?

What you're describing is a Cross-Site Request Forgery (CSRF) attack and is absolutely possible.
Your server code needs to check the origin of the request to prevent them (if there's an Origin header, use it, otherwise use the Referer header; check that the scheme, hostname and port match the current request –or any origin you decide to trust for issuing such requests–; and if there's neither you should refuse the POST request, but you should know that some corporate proxies remove Referer headers, so without HTTPS to prevent this man-in-the-middle situation you're going to need CSRF "tokens" and this is a bit painful to manage correctly).
See https://www.w3.org/TR/cors/ for the gory details.

You received this message because you are subscribed to the Google Groups "GWT Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-web-toolkit+unsubscribe@googlegroups.com.
To post to this group, send email to google-web-toolkit@googlegroups.com.
Visit this group at https://groups.google.com/group/google-web-toolkit.
For more options, visit https://groups.google.com/d/optout.

No comments:

Post a Comment