Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CSRF breaks when changing the host:port #581

Open
fortbridge opened this issue Feb 3, 2025 · 7 comments
Open

CSRF breaks when changing the host:port #581

fortbridge opened this issue Feb 3, 2025 · 7 comments
Assignees
@chrismaddalena

Comments

@fortbridge
Copy link

Describe the bug
A clear and concise description of what the bug is.
When exposing ports like 8080/4443 on the host the CSRF mitigations breaks everything

To Reproduce
Steps to reproduce the behavior:

in production.yaml change exposed ports on the host to 8080/4443

follow the intructions here:https://www.ghostwriter.wiki/getting-started/quickstart
to set allowhost, trustorigin, NGINX_HOST to "ghostwriter" for example

Expected Behavior
I'd expect d still be able to use the app

Screenshots
everytime I do a POST I get CSRF errors

Server Specs:

  • OS: [e.g., Ubuntu]
  • Docker [e.g., output of docker --version and docker-compose -v]
  • Ghostwriter [e.g., 2.2.3 or whatever is printed at the bottom of the left-hand sidebar]

Additional context
Add any other context about the problem here.
@fortbridge fortbridge added the bug Something isn't working label Feb 3, 2025
@chrismaddalena chrismaddalena removed the bug Something isn't working label Feb 3, 2025
@chrismaddalena
Copy link
Collaborator

Hey @fortbridge, what exactly did you do to change the ports? The CSRF is all part of Django, and Django/CSRF doesn't look at the port used for the server. What matters is the CSRF token + related traffic makes it to the server.

Also, what are the errors you see? What do the Django and nginx logs show after you make a request?

 ./ghostwriter-cli logs nginx
 ./ghostwriter-cli logs django

If you want to change the ports used for nginx, you must also update the nginx.conf. By default, nginx listens on 80 and 443, so prodction.yml exposes those ports.

@adrian-rt
Copy link

adrian-rt commented Feb 4, 2025
edited
Loading

@chrismaddalena
these are the logs from the container, it fails the referrer check:

INFO:     172.20.0.6:44854 - "GET /accounts/login/?next=/reporting/reports/findings/update/21 HTTP/1.0" 200 OK
WARNING 2025-02-04 15:42:24,314 log 16 128121137470264 Forbidden (Referer checking failed - https://ghostwriter:4443/accounts/login/?next=/reporting/reports/findings/update/21 does not match any trusted origins.): /accounts/login/
INFO:     172.20.0.6:44858 - "POST /accounts/login/ HTTP/1.0" 403 Forbidden
INFO:     172.20.0.6:44866 - "GET /favicon.ico HTTP/1.0" 404 Not Found

these are the changes to production.yml:

adrian@adrian-Precision-7750:~/Downloads/tools/Ghostwriter$ cat production.yml | grep -i -C 3 4443
      name: ghostwriter_nginx
    ports:
      - "0.0.0.0:8090:80"
      - "0.0.0.0:4443:443"
    environment:
      - NO_PROXY=django,graphql_engine
    healthcheck:

and in the brwoser after login I get this


Forbidden (403)
CSRF verification failed. Request aborted.

More information is available with DEBUG=True.

@chrismaddalena
Copy link
Collaborator

The nginx logs show the origin is untrusted. You changed the hostname to ghostwriter so make sure you've also added ghostwriter as a trusted host, as outlined here:

https://www.ghostwriter.wiki/getting-started/quickstart#customizing-the-domain-name-or-ip-address

Also, if you're connecting via a web proxy, add your proxy as a trusted origin. That's covered in the section just below that one. Then, restart the containers with:

$ ./ghostwriter-cli containers down && ./ghostwriter-cli containers up

@adrian-rt
Copy link

@chrismaddalena thanks, but I tried that as well, as mentioned in the first post and it didn't work.

I've tried with both 'ghostwriter' and '*' and none of these worked.

@chrismaddalena
Copy link
Collaborator

Let's revert your changes and try without changing the hostname. Are you able to connect?

Usually, you only want to change the NGINX_HOST if you're trying to use custom DNS and have generated certificates for the new name. Are you trying to do something locally to map ghostwriter to a hostname or IP address on your network?

@adrian-rt
Copy link

set all the configs to localhost, but still getting CSRF errors:

Image

correct, I try to map ghostwriter to my local ip so I can access it as https://ghostwriter:4443/. I really need to have this running on non-standard ports.

@adrian-rt
Copy link

adrian-rt commented Feb 7, 2025
edited
Loading

fetched the latest version and re-did the test.

Simply changing the ports in production.yml causes the following error:

INFO:     connection open
WARNING 2025-02-07 13:22:28,531 log 17 129198444276536 Forbidden (Referer checking failed - https://localhost:4443/shepherd/servers/create/ does not match any trusted origins.): /shepherd/servers/create/
INFO:     172.20.0.6:50284 - "POST /shepherd/servers/create/ HTTP/1.0" 403 Forbidden

this was the change

      name: ghostwriter_nginx
    ports:
      - "0.0.0.0:8090:80"
      - "0.0.0.0:4443:443"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@chrismaddalena chrismaddalena

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@adrian-rt @chrismaddalena @fortbridge