Problems with CSRF protection in Jenkins 2.85

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Problems with CSRF protection in Jenkins 2.85

Jost, Martin (NSN - DE/Ulm)
Hello,

after the update to Jenkins 2.85, CI now "complains":
"You have not configured the CSRF issuer. This could be a security issue. For more information, please refer to this page.
You can change the current configuration using the Security section CSRF Protection."

So I tried to enable the CSRF protection. But now I fail to get my 'wget'-calls to the API to work with it.

How do I need to hand the crumb (in what format) to a wget call to e.g. upload a job file to my CI ?

Here is what I tried:
# get the brumb
> wget http://ullteb105.emea.nsn-net.net:9999/crumbIssuer/api/xml -o out --output-document ooooo --user="random" --password="foobar"
> less ooooo
<defaultCrumbIssuer _class='hudson.security.csrf.DefaultCrumbIssuer'><crumb>1dd7db5ac04440f3c6f2e0b007d9afdb</crumb><crumbRequestField>Jenkins-Crumb</crumbRequestField></defaultCrumbIssuer>

# user/password + crumb as "Jenkins-Crumb" -> No valid crumb
> /usr/bin/wget --auth-no-challenge --no-proxy --user="random" --password="foobar" http://ullteb106.emea.nsn-net.net:9999/job/PHY_TX----trunk--build/config.xml --post-file=encoded/PHY_TX----trunk--build.xml --header="Jenkins-Crumb:1dd7db5ac04440f3c6f2e0b007d9afdb"
--2017-10-30 14:59:55--  http://ullteb106.emea.nsn-net.net:9999/job/PHY_TX----trunk--build/config.xml
Resolving ullteb106.emea.nsn-net.net... 10.159.34.242
Connecting to ullteb106.emea.nsn-net.net|10.159.34.242|:9999... connected.
HTTP request sent, awaiting response... 403 No valid crumb was included in the request
2017-10-30 14:59:55 ERROR 403: No valid crumb was included in the request.

# No password; just the crumb -> forbidden (ok, obvious)
> /usr/bin/wget --auth-no-challenge --no-proxy --user="random" http://ullteb106.emea.nsn-net.net:9999/job/PHY_TX----trunk--build/config.xml --post-file=encoded/PHY_TX----trunk--build.xml --header="Jenkins-Crumb:1dd7db5ac04440f3c6f2e0b007d9afdb"
--2017-10-30 15:18:54--  http://ullteb106.emea.nsn-net.net:9999/job/PHY_TX----trunk--build/config.xml
Resolving ullteb106.emea.nsn-net.net... 10.159.34.242
Connecting to ullteb106.emea.nsn-net.net|10.159.34.242|:9999... connected.
HTTP request sent, awaiting response... 403 Forbidden
2017-10-30 15:18:54 ERROR 403: Forbidden.

# No user/password; just the crumb -> forbidden (ok, obvious)
> /usr/bin/wget --auth-no-challenge --no-proxy http://ullteb106.emea.nsn-net.net:9999/job/PHY_TX----trunk--build/config.xml --post-file=encoded/PHY_TX----trunk--build.xml --header="Jenkins-Crumb:1dd7db5ac04440f3c6f2e0b007d9afdb"
--2017-10-30 15:19:06--  http://ullteb106.emea.nsn-net.net:9999/job/PHY_TX----trunk--build/config.xml
Resolving ullteb106.emea.nsn-net.net... 10.159.34.242
Connecting to ullteb106.emea.nsn-net.net|10.159.34.242|:9999... connected.
HTTP request sent, awaiting response... 403 Forbidden
2017-10-30 15:19:06 ERROR 403: Forbidden.

# user/password + crumb as "Crumb" -> No valid crumb
> /usr/bin/wget --auth-no-challenge --no-proxy --user="random" --password="foobar" http://ullteb106.emea.nsn-net.net:9999/job/PHY_TX----trunk--build/config.xml --post-file=encoded/PHY_TX----trunk--build.xml --header="Crumb:1dd7db5ac04440f3c6f2e0b007d9afdb"
--2017-10-30 15:19:19--  http://ullteb106.emea.nsn-net.net:9999/job/PHY_TX----trunk--build/config.xml
Resolving ullteb106.emea.nsn-net.net... 10.159.34.242
Connecting to ullteb106.emea.nsn-net.net|10.159.34.242|:9999... connected.
HTTP request sent, awaiting response... 403 No valid crumb was included in the request
2017-10-30 15:19:19 ERROR 403: No valid crumb was included in the request.

# same, but 'crumb'
> /usr/bin/wget --auth-no-challenge --no-proxy --user="random" --password="foobar" http://ullteb106.emea.nsn-net.net:9999/job/PHY_TX----trunk--build/config.xml --post-file=encoded/PHY_TX----trunk--build.xml --header="crumb:1dd7db5ac04440f3c6f2e0b007d9afdb"
--2017-10-30 15:19:24--  http://ullteb106.emea.nsn-net.net:9999/job/PHY_TX----trunk--build/config.xml
Resolving ullteb106.emea.nsn-net.net... 10.159.34.242
Connecting to ullteb106.emea.nsn-net.net|10.159.34.242|:9999... connected.
HTTP request sent, awaiting response... 403 No valid crumb was included in the request
2017-10-30 15:19:24 ERROR 403: No valid crumb was included in the request.

# same, but '.crumb'
> /usr/bin/wget --auth-no-challenge --no-proxy --user="random" --password="foobar" http://ullteb106.emea.nsn-net.net:9999/job/PHY_TX----trunk--build/config.xml --post-file=encoded/PHY_TX----trunk--build.xml --header=".crumb:1dd7db5ac04440f3c6f2e0b007d9afdb"
--2017-10-30 15:19:30--  http://ullteb106.emea.nsn-net.net:9999/job/PHY_TX----trunk--build/config.xml
Resolving ullteb106.emea.nsn-net.net... 10.159.34.242
Connecting to ullteb106.emea.nsn-net.net|10.159.34.242|:9999... connected.
HTTP request sent, awaiting response... 403 No valid crumb was included in the request
2017-10-30 15:19:30 ERROR 403: No valid crumb was included in the request.

> wget --output-document ooooo --user="random" --password="foobar"  'http://ullteb105.emea.nsn-net.net:9999/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,":",//crumb)'
--2017-10-30 15:28:52--  http://ullteb105.emea.nsn-net.net:9999/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,%22:%22,//crumb)
Resolving ullteb105.emea.nsn-net.net... 10.159.34.240
Connecting to ullteb105.emea.nsn-net.net|10.159.34.240|:9999... connected.
HTTP request sent, awaiting response... 200 OK
Length: 46 [text/plain]
Saving to: ooooo
100%[==========================================================================================================================================>] 46          --.-K/s   in 0s
2017-10-30 15:28:52 (8.47 MB/s) - ooooo saved [46/46]

> less ooooo
Jenkins-Crumb:1dd7db5ac04440f3c6f2e0b007d9afdb

# ok, so it is Jenkins-Crumb ?
# And the crumb itself stayed the same, so it is no timing issue (so far)
# I think I understood the crumb is a MD5 over user + password + some salt

# ok, then "Jenkins-Crumb" - no luck too
> /usr/bin/wget --auth-no-challenge --no-proxy --user="random" --password="foobar" http://ullteb106.emea.nsn-net.net:9999/job/PHY_TX----trunk--build/config.xml --post-file=encoded/PHY_TX----trunk--build.xml --header="Jenkins-Crumb:1dd7db5ac04440f3c6f2e0b007d9afdb"
--2017-10-30 15:29:37--  http://ullteb106.emea.nsn-net.net:9999/job/PHY_TX----trunk--build/config.xml
Resolving ullteb106.emea.nsn-net.net... 10.159.34.242
Connecting to ullteb106.emea.nsn-net.net|10.159.34.242|:9999... connected.
HTTP request sent, awaiting response... 403 No valid crumb was included in the request
2017-10-30 15:29:37 ERROR 403: No valid crumb was included in the request.

Regards

Martin

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/051b10e4-22e3-4e7d-b584-bcd753ff4a16%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Problems with CSRF protection in Jenkins 2.85

Jost, Martin (NSN - DE/Ulm)
Hello,

ok, answer to my own mail...

The rules seem to be:

  1. Use
    curl -s 'http://<user>:<PWD>@<machine>:<port>/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,":",//crumb)' && echo”
    to get the Crumb
  2. The Crumb gets returned, ready to use:
    “Jenkins-Crumb:30….b”
    Exactly this need to be handed in.
  3. “curl -u ‘<user>:<PWD>' …” doesn’t work, while “curl -s 'http://<user>:<PWD>@....” does
  4. The hostname gets hashed into the Crumb returned (So the Crumb changes between aliases for the same machine name (physical/logical/forward from standby master) )
    So it is important to use the same machine name (physical/logical/forward from standby master)  on all calls
  5. As to this finding and the documentation, the crumb is constructed from.
    (So this means, it shouldn’t change over time (modulo Jenkins updates ?))
    1. Hostname
    2. Username
    3. Password (It seems API-Token and Password are somehow mapped ?)
    4. A Salt
  6. Both the API-token, as well as the password can be used (same syntax, just use PWD or token)
    Both lead to the same Crumb returned
    Then what is this token about ?
  7. The wget call can use
    wget … --user=jm0 --password=<PWD> … --header='Jenkins-Crumb:30430………………71b'
    or
    wget http://jm0:PW@... --header='Jenkins-Crumb:30430………………71b'
    both work with the crumb
Hope this might help others....

Martin

No I just would need to know, that the error messages in the log mean, when I switch CSRF on....

On Monday, November 6, 2017 at 5:40:35 PM UTC+1, [hidden email] wrote:
Hello,

after the update to Jenkins 2.85, CI now "complains":
"You have not configured the CSRF issuer. This could be a security issue. For more information, please refer to <a href="https://jenkins.io/redirect/csrf-protection" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fjenkins.io%2Fredirect%2Fcsrf-protection\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGVpkm84Q-VXg4wknpeJVwXs-sjDA&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fjenkins.io%2Fredirect%2Fcsrf-protection\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGVpkm84Q-VXg4wknpeJVwXs-sjDA&#39;;return true;">this page.
You can change the current configuration using the Security section <a href="http://phytxci.emea.nsn-net.net:9999/configureSecurity" target="_blank" rel="nofollow" onmousedown="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fphytxci.emea.nsn-net.net%3A9999%2FconfigureSecurity\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNERktuScjlo8DGV5wsdEg6VmHg77A&#39;;return true;" onclick="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fphytxci.emea.nsn-net.net%3A9999%2FconfigureSecurity\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNERktuScjlo8DGV5wsdEg6VmHg77A&#39;;return true;">CSRF Protection."

So I tried to enable the CSRF protection. But now I fail to get my 'wget'-calls to the API to work with it.

How do I need to hand the crumb (in what format) to a wget call to e.g. upload a job file to my CI ?

Here is what I tried:
# get the brumb
> wget <a href="http://ullteb105.emea.nsn-net.net:9999/crumbIssuer/api/xml" target="_blank" rel="nofollow" onmousedown="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fullteb105.emea.nsn-net.net%3A9999%2FcrumbIssuer%2Fapi%2Fxml\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHBi0jiQZFEHueBcxQ7ILko5GWL7g&#39;;return true;" onclick="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fullteb105.emea.nsn-net.net%3A9999%2FcrumbIssuer%2Fapi%2Fxml\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHBi0jiQZFEHueBcxQ7ILko5GWL7g&#39;;return true;">http://ullteb105.emea.nsn-net.net:9999/crumbIssuer/api/xml -o out --output-document ooooo --user="random" --password="foobar"
> less ooooo
<defaultCrumbIssuer _class='hudson.security.csrf.DefaultCrumbIssuer'><crumb>1dd7db5ac04440f3c6f2e0b007d9afdb</crumb><crumbRequestField>Jenkins-Crumb</crumbRequestField></defaultCrumbIssuer>

# user/password + crumb as "Jenkins-Crumb" -> No valid crumb
> /usr/bin/wget --auth-no-challenge --no-proxy --user="random" --password="foobar" <a href="http://ullteb106.emea.nsn-net.net:9999/job/PHY_TX----trunk--build/config.xml" target="_blank" rel="nofollow" onmousedown="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fullteb106.emea.nsn-net.net%3A9999%2Fjob%2FPHY_TX----trunk--build%2Fconfig.xml\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHgWNRSG8NxBo6Sttd3zrmviwcGPw&#39;;return true;" onclick="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fullteb106.emea.nsn-net.net%3A9999%2Fjob%2FPHY_TX----trunk--build%2Fconfig.xml\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHgWNRSG8NxBo6Sttd3zrmviwcGPw&#39;;return true;">http://ullteb106.emea.nsn-net.net:9999/job/PHY_TX----trunk--build/config.xml --post-file=encoded/PHY_TX----trunk--build.xml --header="Jenkins-Crumb:1dd7db5ac04440f3c6f2e0b007d9afdb"
--2017-10-30 14:59:55--  <a href="http://ullteb106.emea.nsn-net.net:9999/job/PHY_TX----trunk--build/config.xml" target="_blank" rel="nofollow" onmousedown="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fullteb106.emea.nsn-net.net%3A9999%2Fjob%2FPHY_TX----trunk--build%2Fconfig.xml\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHgWNRSG8NxBo6Sttd3zrmviwcGPw&#39;;return true;" onclick="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fullteb106.emea.nsn-net.net%3A9999%2Fjob%2FPHY_TX----trunk--build%2Fconfig.xml\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHgWNRSG8NxBo6Sttd3zrmviwcGPw&#39;;return true;">http://ullteb106.emea.nsn-net.net:9999/job/PHY_TX----trunk--build/config.xml
Resolving ullteb106.emea.nsn-net.net... 10.159.34.242
Connecting to <a href="http://ullteb106.emea.nsn-net.net" target="_blank" rel="nofollow" onmousedown="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fullteb106.emea.nsn-net.net\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHw2ikJBiZicGTidnZ_V93TteOL7A&#39;;return true;" onclick="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fullteb106.emea.nsn-net.net\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHw2ikJBiZicGTidnZ_V93TteOL7A&#39;;return true;">ullteb106.emea.nsn-net.net|10.159.34.242|:9999... connected.
HTTP request sent, awaiting response... 403 No valid crumb was included in the request
2017-10-30 14:59:55 ERROR 403: No valid crumb was included in the request.

# No password; just the crumb -> forbidden (ok, obvious)
> /usr/bin/wget --auth-no-challenge --no-proxy --user="random" <a href="http://ullteb106.emea.nsn-net.net:9999/job/PHY_TX----trunk--build/config.xml" target="_blank" rel="nofollow" onmousedown="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fullteb106.emea.nsn-net.net%3A9999%2Fjob%2FPHY_TX----trunk--build%2Fconfig.xml\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHgWNRSG8NxBo6Sttd3zrmviwcGPw&#39;;return true;" onclick="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fullteb106.emea.nsn-net.net%3A9999%2Fjob%2FPHY_TX----trunk--build%2Fconfig.xml\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHgWNRSG8NxBo6Sttd3zrmviwcGPw&#39;;return true;">http://ullteb106.emea.nsn-net.net:9999/job/PHY_TX----trunk--build/config.xml --post-file=encoded/PHY_TX----trunk--build.xml --header="Jenkins-Crumb:1dd7db5ac04440f3c6f2e0b007d9afdb"
--2017-10-30 15:18:54--  <a href="http://ullteb106.emea.nsn-net.net:9999/job/PHY_TX----trunk--build/config.xml" target="_blank" rel="nofollow" onmousedown="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fullteb106.emea.nsn-net.net%3A9999%2Fjob%2FPHY_TX----trunk--build%2Fconfig.xml\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHgWNRSG8NxBo6Sttd3zrmviwcGPw&#39;;return true;" onclick="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fullteb106.emea.nsn-net.net%3A9999%2Fjob%2FPHY_TX----trunk--build%2Fconfig.xml\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHgWNRSG8NxBo6Sttd3zrmviwcGPw&#39;;return true;">http://ullteb106.emea.nsn-net.net:9999/job/PHY_TX----trunk--build/config.xml
Resolving ullteb106.emea.nsn-net.net... 10.159.34.242
Connecting to <a href="http://ullteb106.emea.nsn-net.net" target="_blank" rel="nofollow" onmousedown="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fullteb106.emea.nsn-net.net\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHw2ikJBiZicGTidnZ_V93TteOL7A&#39;;return true;" onclick="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fullteb106.emea.nsn-net.net\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHw2ikJBiZicGTidnZ_V93TteOL7A&#39;;return true;">ullteb106.emea.nsn-net.net|10.159.34.242|:9999... connected.
HTTP request sent, awaiting response... 403 Forbidden
2017-10-30 15:18:54 ERROR 403: Forbidden.

# No user/password; just the crumb -> forbidden (ok, obvious)
> /usr/bin/wget --auth-no-challenge --no-proxy <a href="http://ullteb106.emea.nsn-net.net:9999/job/PHY_TX----trunk--build/config.xml" target="_blank" rel="nofollow" onmousedown="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fullteb106.emea.nsn-net.net%3A9999%2Fjob%2FPHY_TX----trunk--build%2Fconfig.xml\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHgWNRSG8NxBo6Sttd3zrmviwcGPw&#39;;return true;" onclick="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fullteb106.emea.nsn-net.net%3A9999%2Fjob%2FPHY_TX----trunk--build%2Fconfig.xml\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHgWNRSG8NxBo6Sttd3zrmviwcGPw&#39;;return true;">http://ullteb106.emea.nsn-net.net:9999/job/PHY_TX----trunk--build/config.xml --post-file=encoded/PHY_TX----trunk--build.xml --header="Jenkins-Crumb:1dd7db5ac04440f3c6f2e0b007d9afdb"
--2017-10-30 15:19:06--  <a href="http://ullteb106.emea.nsn-net.net:9999/job/PHY_TX----trunk--build/config.xml" target="_blank" rel="nofollow" onmousedown="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fullteb106.emea.nsn-net.net%3A9999%2Fjob%2FPHY_TX----trunk--build%2Fconfig.xml\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHgWNRSG8NxBo6Sttd3zrmviwcGPw&#39;;return true;" onclick="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fullteb106.emea.nsn-net.net%3A9999%2Fjob%2FPHY_TX----trunk--build%2Fconfig.xml\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHgWNRSG8NxBo6Sttd3zrmviwcGPw&#39;;return true;">http://ullteb106.emea.nsn-net.net:9999/job/PHY_TX----trunk--build/config.xml
Resolving ullteb106.emea.nsn-net.net... 10.159.34.242
Connecting to <a href="http://ullteb106.emea.nsn-net.net" target="_blank" rel="nofollow" onmousedown="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fullteb106.emea.nsn-net.net\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHw2ikJBiZicGTidnZ_V93TteOL7A&#39;;return true;" onclick="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fullteb106.emea.nsn-net.net\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHw2ikJBiZicGTidnZ_V93TteOL7A&#39;;return true;">ullteb106.emea.nsn-net.net|10.159.34.242|:9999... connected.
HTTP request sent, awaiting response... 403 Forbidden
2017-10-30 15:19:06 ERROR 403: Forbidden.

# user/password + crumb as "Crumb" -> No valid crumb
> /usr/bin/wget --auth-no-challenge --no-proxy --user="random" --password="foobar" <a href="http://ullteb106.emea.nsn-net.net:9999/job/PHY_TX----trunk--build/config.xml" target="_blank" rel="nofollow" onmousedown="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fullteb106.emea.nsn-net.net%3A9999%2Fjob%2FPHY_TX----trunk--build%2Fconfig.xml\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHgWNRSG8NxBo6Sttd3zrmviwcGPw&#39;;return true;" onclick="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fullteb106.emea.nsn-net.net%3A9999%2Fjob%2FPHY_TX----trunk--build%2Fconfig.xml\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHgWNRSG8NxBo6Sttd3zrmviwcGPw&#39;;return true;">http://ullteb106.emea.nsn-net.net:9999/job/PHY_TX----trunk--build/config.xml --post-file=encoded/PHY_TX----trunk--build.xml --header="Crumb:1dd7db5ac04440f3c6f2e0b007d9afdb"
--2017-10-30 15:19:19--  <a href="http://ullteb106.emea.nsn-net.net:9999/job/PHY_TX----trunk--build/config.xml" target="_blank" rel="nofollow" onmousedown="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fullteb106.emea.nsn-net.net%3A9999%2Fjob%2FPHY_TX----trunk--build%2Fconfig.xml\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHgWNRSG8NxBo6Sttd3zrmviwcGPw&#39;;return true;" onclick="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fullteb106.emea.nsn-net.net%3A9999%2Fjob%2FPHY_TX----trunk--build%2Fconfig.xml\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHgWNRSG8NxBo6Sttd3zrmviwcGPw&#39;;return true;">http://ullteb106.emea.nsn-net.net:9999/job/PHY_TX----trunk--build/config.xml
Resolving ullteb106.emea.nsn-net.net... 10.159.34.242
Connecting to <a href="http://ullteb106.emea.nsn-net.net" target="_blank" rel="nofollow" onmousedown="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fullteb106.emea.nsn-net.net\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHw2ikJBiZicGTidnZ_V93TteOL7A&#39;;return true;" onclick="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fullteb106.emea.nsn-net.net\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHw2ikJBiZicGTidnZ_V93TteOL7A&#39;;return true;">ullteb106.emea.nsn-net.net|10.159.34.242|:9999... connected.
HTTP request sent, awaiting response... 403 No valid crumb was included in the request
2017-10-30 15:19:19 ERROR 403: No valid crumb was included in the request.

# same, but 'crumb'
> /usr/bin/wget --auth-no-challenge --no-proxy --user="random" --password="foobar" <a href="http://ullteb106.emea.nsn-net.net:9999/job/PHY_TX----trunk--build/config.xml" target="_blank" rel="nofollow" onmousedown="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fullteb106.emea.nsn-net.net%3A9999%2Fjob%2FPHY_TX----trunk--build%2Fconfig.xml\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHgWNRSG8NxBo6Sttd3zrmviwcGPw&#39;;return true;" onclick="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fullteb106.emea.nsn-net.net%3A9999%2Fjob%2FPHY_TX----trunk--build%2Fconfig.xml\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHgWNRSG8NxBo6Sttd3zrmviwcGPw&#39;;return true;">http://ullteb106.emea.nsn-net.net:9999/job/PHY_TX----trunk--build/config.xml --post-file=encoded/PHY_TX----trunk--build.xml --header="crumb:1dd7db5ac04440f3c6f2e0b007d9afdb"
--2017-10-30 15:19:24--  <a href="http://ullteb106.emea.nsn-net.net:9999/job/PHY_TX----trunk--build/config.xml" target="_blank" rel="nofollow" onmousedown="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fullteb106.emea.nsn-net.net%3A9999%2Fjob%2FPHY_TX----trunk--build%2Fconfig.xml\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHgWNRSG8NxBo6Sttd3zrmviwcGPw&#39;;return true;" onclick="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fullteb106.emea.nsn-net.net%3A9999%2Fjob%2FPHY_TX----trunk--build%2Fconfig.xml\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHgWNRSG8NxBo6Sttd3zrmviwcGPw&#39;;return true;">http://ullteb106.emea.nsn-net.net:9999/job/PHY_TX----trunk--build/config.xml
Resolving ullteb106.emea.nsn-net.net... 10.159.34.242
Connecting to <a href="http://ullteb106.emea.nsn-net.net" target="_blank" rel="nofollow" onmousedown="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fullteb106.emea.nsn-net.net\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHw2ikJBiZicGTidnZ_V93TteOL7A&#39;;return true;" onclick="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fullteb106.emea.nsn-net.net\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHw2ikJBiZicGTidnZ_V93TteOL7A&#39;;return true;">ullteb106.emea.nsn-net.net|10.159.34.242|:9999... connected.
HTTP request sent, awaiting response... 403 No valid crumb was included in the request
2017-10-30 15:19:24 ERROR 403: No valid crumb was included in the request.

# same, but '.crumb'
> /usr/bin/wget --auth-no-challenge --no-proxy --user="random" --password="foobar" <a href="http://ullteb106.emea.nsn-net.net:9999/job/PHY_TX----trunk--build/config.xml" target="_blank" rel="nofollow" onmousedown="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fullteb106.emea.nsn-net.net%3A9999%2Fjob%2FPHY_TX----trunk--build%2Fconfig.xml\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHgWNRSG8NxBo6Sttd3zrmviwcGPw&#39;;return true;" onclick="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fullteb106.emea.nsn-net.net%3A9999%2Fjob%2FPHY_TX----trunk--build%2Fconfig.xml\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHgWNRSG8NxBo6Sttd3zrmviwcGPw&#39;;return true;">http://ullteb106.emea.nsn-net.net:9999/job/PHY_TX----trunk--build/config.xml --post-file=encoded/PHY_TX----trunk--build.xml --header=".crumb:1dd7db5ac04440f3c6f2e0b007d9afdb"
--2017-10-30 15:19:30--  <a href="http://ullteb106.emea.nsn-net.net:9999/job/PHY_TX----trunk--build/config.xml" target="_blank" rel="nofollow" onmousedown="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fullteb106.emea.nsn-net.net%3A9999%2Fjob%2FPHY_TX----trunk--build%2Fconfig.xml\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHgWNRSG8NxBo6Sttd3zrmviwcGPw&#39;;return true;" onclick="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fullteb106.emea.nsn-net.net%3A9999%2Fjob%2FPHY_TX----trunk--build%2Fconfig.xml\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHgWNRSG8NxBo6Sttd3zrmviwcGPw&#39;;return true;">http://ullteb106.emea.nsn-net.net:9999/job/PHY_TX----trunk--build/config.xml
Resolving ullteb106.emea.nsn-net.net... 10.159.34.242
Connecting to <a href="http://ullteb106.emea.nsn-net.net" target="_blank" rel="nofollow" onmousedown="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fullteb106.emea.nsn-net.net\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHw2ikJBiZicGTidnZ_V93TteOL7A&#39;;return true;" onclick="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fullteb106.emea.nsn-net.net\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHw2ikJBiZicGTidnZ_V93TteOL7A&#39;;return true;">ullteb106.emea.nsn-net.net|10.159.34.242|:9999... connected.
HTTP request sent, awaiting response... 403 No valid crumb was included in the request
2017-10-30 15:19:30 ERROR 403: No valid crumb was included in the request.

> wget --output-document ooooo --user="random" --password="foobar"  '<a href="http://ullteb105.emea.nsn-net.net:9999/crumbIssuer/api/xml?xpath=concat(//crumbRequestField," target="_blank" rel="nofollow" onmousedown="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fullteb105.emea.nsn-net.net%3A9999%2FcrumbIssuer%2Fapi%2Fxml%3Fxpath%3Dconcat(%2F%2FcrumbRequestField%2C\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEfrtJMseMCQDqDV97_rlk_GJZK2w&#39;;return true;" onclick="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fullteb105.emea.nsn-net.net%3A9999%2FcrumbIssuer%2Fapi%2Fxml%3Fxpath%3Dconcat(%2F%2FcrumbRequestField%2C\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEfrtJMseMCQDqDV97_rlk_GJZK2w&#39;;return true;">http://ullteb105.emea.nsn-net.net:9999/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,":",//crumb)'
--2017-10-30 15:28:52--  <a href="http://ullteb105.emea.nsn-net.net:9999/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,%22:%22,//crumb)" target="_blank" rel="nofollow" onmousedown="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fullteb105.emea.nsn-net.net%3A9999%2FcrumbIssuer%2Fapi%2Fxml%3Fxpath%3Dconcat(%2F%2FcrumbRequestField%2C%2522%3A%2522%2C%2F%2Fcrumb)\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNG4cyBujKT8TYSYDyItlwJRpGfFhw&#39;;return true;" onclick="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fullteb105.emea.nsn-net.net%3A9999%2FcrumbIssuer%2Fapi%2Fxml%3Fxpath%3Dconcat(%2F%2FcrumbRequestField%2C%2522%3A%2522%2C%2F%2Fcrumb)\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNG4cyBujKT8TYSYDyItlwJRpGfFhw&#39;;return true;">http://ullteb105.emea.nsn-net.net:9999/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,%22:%22,//crumb)
Resolving ullteb105.emea.nsn-net.net... 10.159.34.240
Connecting to <a href="http://ullteb105.emea.nsn-net.net" target="_blank" rel="nofollow" onmousedown="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fullteb105.emea.nsn-net.net\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFbCA4s4Z2zYdB09LrHz0S-0YHb6Q&#39;;return true;" onclick="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fullteb105.emea.nsn-net.net\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFbCA4s4Z2zYdB09LrHz0S-0YHb6Q&#39;;return true;">ullteb105.emea.nsn-net.net|10.159.34.240|:9999... connected.
HTTP request sent, awaiting response... 200 OK
Length: 46 [text/plain]
Saving to: ooooo
100%[==========================================================================================================================================>] 46          --.-K/s   in 0s
2017-10-30 15:28:52 (8.47 MB/s) - ooooo saved [46/46]

> less ooooo
Jenkins-Crumb:1dd7db5ac04440f3c6f2e0b007d9afdb

# ok, so it is Jenkins-Crumb ?
# And the crumb itself stayed the same, so it is no timing issue (so far)
# I think I understood the crumb is a MD5 over user + password + some salt

# ok, then "Jenkins-Crumb" - no luck too
> /usr/bin/wget --auth-no-challenge --no-proxy --user="random" --password="foobar" <a href="http://ullteb106.emea.nsn-net.net:9999/job/PHY_TX----trunk--build/config.xml" target="_blank" rel="nofollow" onmousedown="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fullteb106.emea.nsn-net.net%3A9999%2Fjob%2FPHY_TX----trunk--build%2Fconfig.xml\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHgWNRSG8NxBo6Sttd3zrmviwcGPw&#39;;return true;" onclick="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fullteb106.emea.nsn-net.net%3A9999%2Fjob%2FPHY_TX----trunk--build%2Fconfig.xml\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHgWNRSG8NxBo6Sttd3zrmviwcGPw&#39;;return true;">http://ullteb106.emea.nsn-net.net:9999/job/PHY_TX----trunk--build/config.xml --post-file=encoded/PHY_TX----trunk--build.xml --header="Jenkins-Crumb:1dd7db5ac04440f3c6f2e0b007d9afdb"
--2017-10-30 15:29:37--  <a href="http://ullteb106.emea.nsn-net.net:9999/job/PHY_TX----trunk--build/config.xml" target="_blank" rel="nofollow" onmousedown="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fullteb106.emea.nsn-net.net%3A9999%2Fjob%2FPHY_TX----trunk--build%2Fconfig.xml\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHgWNRSG8NxBo6Sttd3zrmviwcGPw&#39;;return true;" onclick="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fullteb106.emea.nsn-net.net%3A9999%2Fjob%2FPHY_TX----trunk--build%2Fconfig.xml\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHgWNRSG8NxBo6Sttd3zrmviwcGPw&#39;;return true;">http://ullteb106.emea.nsn-net.net:9999/job/PHY_TX----trunk--build/config.xml
Resolving ullteb106.emea.nsn-net.net... 10.159.34.242
Connecting to <a href="http://ullteb106.emea.nsn-net.net" target="_blank" rel="nofollow" onmousedown="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fullteb106.emea.nsn-net.net\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHw2ikJBiZicGTidnZ_V93TteOL7A&#39;;return true;" onclick="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fullteb106.emea.nsn-net.net\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHw2ikJBiZicGTidnZ_V93TteOL7A&#39;;return true;">ullteb106.emea.nsn-net.net|10.159.34.242|:9999... connected.
HTTP request sent, awaiting response... 403 No valid crumb was included in the request
2017-10-30 15:29:37 ERROR 403: No valid crumb was included in the request.

Regards

Martin

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/638c1f54-591b-4a0b-bc83-f605bfd08f1e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Problems with CSRF protection in Jenkins 2.85

Daniel Beck

> On 22. Nov 2017, at 16:48, [hidden email] wrote:
>
> • Both the API-token, as well as the password can be used (same syntax, just use PWD or token)
> Both lead to the same Crumb returned
> Then what is this token about ?

Depending on the environment, putting passwords into scripts might not be a reasonable solution to scripting Jenkins via its remote ("REST") API.

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/B5C3DC08-C4BA-4128-8B77-652381DB774F%40beckweb.net.
For more options, visit https://groups.google.com/d/optout.