CODEWITHSUNDEEP
djangogoogle-chrome-extensioncsrf
White
White

Reputation: 134

Django CSRF token failure risk

On our production server, periodically we suffer from many CSRF token failures. The site does work fine for the rest, and I am aware CSRF failures may be user-side errors. However, for example this morning we received a flood of new failures, so we want to exclude any other possibilities.

An example failure mail today:

{
   "GET": {},
   "COOKIES": {},
   "ERROR": "Referer checking failed - no Referer.",
   "USER": "AnonymousUser",
   "META": {
       "REMOTE_ADDR": "127.0.0.1",
       "mod_wsgi.version": "(4, 5, 20)",
       "DOCUMENT_ROOT": "/usr/local/apache2/htdocs",
       "SERVER_ADDR": "127.0.0.1",
       "HTTP_ACCEPT_ENCODING": "gzip, deflate, br",
       "wsgi.multithread": "True",
       "HTTP_FORWARDED_REQUEST_URI": "/",
       "CONTEXT_DOCUMENT_ROOT": "/usr/local/apache2/htdocs",
       "wsgi.file_wrapper": "<class 'mod_wsgi.FileWrapper'>",
       "mod_wsgi.path_info": "/",
       "HTTP_ORIGIN": "chrome-extension://aegnopegbbhjeeiganiajffnalhlkkjb",
       (...)
   },
   "POST": {}
}

Especially the HTTP_ORIGIN looks "interesting": why is this Chrome extension scraping/bullying us?

So essentially: Do we need to be worried about this?

Thanks!

Upvotes: 1

Views: 329

Answers (1)

user195311
user195311

Reputation: 58

This looks like an oddly coded "feature" in the "Browser Safety" Chrome extension. It tries to check if a URL is valid by sending an empty POST request to it (why?!).

var checkUrlState = function (url) {
    var urlState = null;
    if (blacklists.indexOf(domainFromUrl((url).toString())) < 0) {
        var xhr = new XMLHttpRequest();
        try {
            xhr.open("POST", url, true);
            xhr.timeout = 5000; // time in milliseconds
            xhr.onreadystatechange = function() {
                if (xhr.readyState == 4) {
                    urlState = xhr.status;
                } else {
                    urlState = null;
                }
            }
            xhr.ontimeout = function () {

            }
            xhr.send();
        } catch (e) {

            onErrorReceived.call(xhr);
        }
    }
    return urlState;
}

I'm also seeing this on my sites. I would recommend filtering it on the frontend based on the Origin header.

Upvotes: 3

Related Questions