SHIM Security Improvements
Aug 14, 2018 “I made some security improvements in SHIM.”#shim #floss #security
The other day I noticed that SHIM was vulnerable to CSRF attacks, so I decided to fix that. To do this I used nosurf. It ended up being pretty simple: just plug in nosurf as middleware for your requests, and then plug the token values in a hidden <input> element somewhere inside your <form>.
While implementing this, I also saw that SHIM’s Delete Post page had a security vulnerability: it didn’t follow the HTTP specification. How? SHIM was using a GET request to delete a page, which violates GET’s idempotent properties. But wait, how is a semantic bug a security vulnerability? How did this happen?
Why are such little things important? Do you really need to worry about the minute technical details of the HTTP protocol when building a web application? Yes. Yes you do.
It matters because these little things can have security implications that you may not have foreseen. Like opening your garage door:
You know how HTTP GET requests are meant to be idempotent? Well, do I have the story for you ... a while back I added WiFi control to our garage doors with little Wemos D1s.
— William (@rombulow) April 29, 2018
The Wemos expose a simple web page with a link that says "Toggle". The endpoint for the link activates a relay, which is hooked up to the push-button on the garage door, which makes the door raise/lower/halt.
— William (@rombulow) April 29, 2018
(This /toggle endpoint responds to GET requests. I threw the code together in minutes and was too lazy to spend another couple minutes figuring out POST. #regret)
— William (@rombulow) April 29, 2018
Safari eventually figured out I used this /toggle page regularly, so added it to my favourites. Which are iCloud-synced between all my devices.
— William (@rombulow) April 29, 2018
So every time I opened a new tab on my laptop, desktop, iPhone or iPad the garage door opened or closed. Late at night, early in the morning, or randomly throughout the day...
— William (@rombulow) April 29, 2018
This, kids, is why GET requests should be idempotent.
— William (@rombulow) April 29, 2018
While this security flaw probably didn’t affect anyone, it possibly could have.
For example a simple request to https://www.camconn[.]cc/secret/path/to/shim/delete/<post base64>?confirm=yes could have given an attacker the ability to delete arbitrary pages on my website. That isn’t totally pwning me, but that is still pretty bad.
Anywho, SHIM has been updated. Patch your installations.