Injectors trigger the CSRF protection by sending cookies with requests

[antoinemzs]

Description

OpenAEV has a CSRF protection mechanism which is enabled when the incoming request includes any cookie.

Some injectors use requests.Session as a http client for communicating with OpenAEV server. Such requests may create a Set-Cookie: "JESSIONID=xxxx" in the response, and requests.Session then stores it in-memory and sends it with any subsequent request.

Injectors design does not expect injector processes to complete a CSRF challenge, but to always authenticate requests explicitly via Authorization: Bearer ... and the configured OPENAEV_TOKEN config.

Environment

1. OS (where OpenAEV server runs): { e.g. Mac OS 10, Windows 10, Ubuntu 16.4, etc. }
2. OpenAEV version: { e.g. OpenAEV 1.0.2 }
3. OpenAEV client: { e.g. frontend or python }
4. Other environment details:

Reproducible Steps

Steps to create the smallest reproducible scenario:

1. Use CSRF-protection enabled branch instance
2. Use the http-query injector (discovered impacted injector)

Expected Output

Injectors work while CSRF protection is active on OpenAEV

Actual Output

401/403 due to failed CSRF challenge on injectors that mistakenly send cookies with requests.

Additional information

Screenshots (optional)

[guzmud]

After analysis it seems the root issue is not in the codebase of the injectors (the only sessions used are nuclei to target github and http-query to target the agent), but in the codebase of the OAEV python client.

In pyoaev/backends/backend.py we can find the code below that seems to be root element of this issue.

class RequestsBackend(protocol.Backend):
    def __init__(self, session: Optional[requests.Session] = None) -> None:
        self._client: requests.Session = session or requests.Session()