Discussion:
Cross-site request forgery issues
Add Reply
Chris
2024-10-20 17:35:20 UTC
Reply
Permalink
For various reasons I'll need to be using a mobile broadband hub for a
while - currently on a Smarty SIM. It's usually fine, but over the last few
days I'm getting XSRF errors on a couple of work-related websites. One
explicitly states an XSRF error and the other errors with a comment
regarding IP "switching".

I suspect the 4G network and/or router is at fault, although I can't really
point to direct evidence. Is this a known issue with mobile connections and
is there a fix?
Graham J
2024-10-20 17:53:39 UTC
Reply
Permalink
Post by Chris
For various reasons I'll need to be using a mobile broadband hub for a
while - currently on a Smarty SIM. It's usually fine, but over the last few
days I'm getting XSRF errors on a couple of work-related websites. One
explicitly states an XSRF error and the other errors with a comment
regarding IP "switching".
I suspect the 4G network and/or router is at fault, although I can't really
point to direct evidence. Is this a known issue with mobile connections and
is there a fix?
A little Googling found this:

<https://confluence.atlassian.com/jirakb/xsrf-security-token-missing-or-session-expiring-in-jira-1032258314.html>

Load balancing is one problem they mention: this is where your traffic
passes through two separate routes (typically 2 different ISPs for a
landline-based internet connection). When I used load balancing several
banking sites would fail randomly and my solution was to restrict bank
traffic to just one connection.

I doubt that your problem is with your router.

It's more likely that your mobile traffic is going via two different
base-stations so is identified as coming from two different IP addresses.

What with many mobile services using CGNAT which results in a single
public IP address being shared between many (hundreds, thousands even,
of) users and that address getting blacklisted because just one user has
sent spam through it, mobile internet services are losing their usefulness.

I can't think of a good solution.

Why is it you are having to resort to a mobile connection?
--
Graham J
Chris
2024-10-21 06:15:50 UTC
Reply
Permalink
Post by Graham J
Post by Chris
For various reasons I'll need to be using a mobile broadband hub for a
while - currently on a Smarty SIM. It's usually fine, but over the last few
days I'm getting XSRF errors on a couple of work-related websites. One
explicitly states an XSRF error and the other errors with a comment
regarding IP "switching".
I suspect the 4G network and/or router is at fault, although I can't really
point to direct evidence. Is this a known issue with mobile connections and
is there a fix?
<https://confluence.atlassian.com/jirakb/xsrf-security-token-missing-or-session-expiring-in-jira-1032258314.html>
Load balancing is one problem they mention: this is where your traffic
passes through two separate routes (typically 2 different ISPs for a
landline-based internet connection). When I used load balancing several
banking sites would fail randomly and my solution was to restrict bank
traffic to just one connection.
I doubt that your problem is with your router.
It's more likely that your mobile traffic is going via two different
base-stations so is identified as coming from two different IP addresses.
What with many mobile services using CGNAT which results in a single
public IP address being shared between many (hundreds, thousands even,
of) users and that address getting blacklisted because just one user has
sent spam through it, mobile internet services are losing their usefulness.
How come it only affects two sites consistently?

Should have added, it also happens when connected to a VPN. Wouldn't that
mask any upstream IP issues?
Post by Graham J
I can't think of a good solution.
Any bad ones? ;)
Post by Graham J
Why is it you are having to resort to a mobile connection?
Graham J
2024-10-21 07:06:15 UTC
Reply
Permalink
Chris wrote:

[snip]
Post by Chris
How come it only affects two sites consistently?
Possibly these are the only two sites that you regularly use that
implement the XSRF checking.
Post by Chris
Should have added, it also happens when connected to a VPN. Wouldn't that
mask any upstream IP issues?
This may depend on how your VPN is set up. Can you try a different VPN
service?

Or it suggests that my speculation as to the cause is incorrect.

If you move to a different geographic location (so not using the same 4G
cell) do you still see the problem?

If you use a different router do you still see the problem?

If you use a different internet connection (e.g. from a friend's house,
and not 4G) do you still see the problem?

Can your ISP give an explanation? I accept that finding anybody there
who understands the issue may be difficult.
--
Graham J
Theo
2024-10-21 15:01:07 UTC
Reply
Permalink
Post by Graham J
[snip]
Post by Chris
How come it only affects two sites consistently?
Possibly these are the only two sites that you regularly use that
implement the XSRF checking.
Post by Chris
Should have added, it also happens when connected to a VPN. Wouldn't that
mask any upstream IP issues?
This may depend on how your VPN is set up. Can you try a different VPN
service?
The VPN could be set to only route private traffic. ie if you're accessing
intranet.company.com it'll go through the VPN, but if you're accessing
some-saas-provider.com or randomserver.aws.amazon.com then it'll go via your
public IP.

Have you tried a different browser, in case it's related to that?

Also, it could be something to do with IPv6: privacy extensions change your
IPv6 address regularly to avoid tracking. Maybe it's showing up as XSRF at
the destination website? Perhaps your original ISP doesn't support IPv6 but
your mobile provider does? You could try turning off IPv6 privacy
extensions to see if it makes a difference.

Theo
Chris
2024-10-21 17:23:05 UTC
Reply
Permalink
Post by Theo
Post by Graham J
[snip]
Post by Chris
How come it only affects two sites consistently?
Possibly these are the only two sites that you regularly use that
implement the XSRF checking.
Post by Chris
Should have added, it also happens when connected to a VPN. Wouldn't that
mask any upstream IP issues?
This may depend on how your VPN is set up. Can you try a different VPN
service?
The VPN could be set to only route private traffic. ie if you're accessing
intranet.company.com it'll go through the VPN, but if you're accessing
some-saas-provider.com or randomserver.aws.amazon.com then it'll go via your
public IP.
All traffic goes through the VPN.
Post by Theo
Have you tried a different browser, in case it's related to that?
Yes Firefox and Safari.
Post by Theo
Also, it could be something to do with IPv6: privacy extensions change your
IPv6 address regularly to avoid tracking. Maybe it's showing up as XSRF at
the destination website? Perhaps your original ISP doesn't support IPv6 but
your mobile provider does? You could try turning off IPv6 privacy
extensions to see if it makes a difference.
Is that even a thing on mobile networks?
Post by Theo
Theo
William Stickers
2024-10-21 14:51:30 UTC
Reply
Permalink
[...]
Post by Chris
Post by Graham J
I can't think of a good solution.
Any bad ones? ;)
Some VPNs offer static IPs.
TBH I dunno if that would work.
David Woolley
2024-10-21 16:11:26 UTC
Reply
Permalink
Post by Chris
Should have added, it also happens when connected to a VPN.
By VPN do you mean a virtual private network, or do you mean a public
anonymising service that makes use of technologies originally developed
for use on virtual private networks. The latter almost certainly uses
extremely heavy CGNAT - that's the main way they obscure the origin of
the traffic.
Chris
2024-10-21 17:23:06 UTC
Reply
Permalink
Post by David Woolley
Post by Chris
Should have added, it also happens when connected to a VPN.
By VPN do you mean a virtual private network, or do you mean a public
anonymising service that makes use of technologies originally developed
for use on virtual private networks. The latter almost certainly uses
extremely heavy CGNAT - that's the main way they obscure the origin of
the traffic.
I mean a work VPN.
Graham J
2024-10-21 17:45:44 UTC
Reply
Permalink
Post by Chris
Post by David Woolley
Post by Chris
Should have added, it also happens when connected to a VPN.
By VPN do you mean a virtual private network, or do you mean a public
anonymising service that makes use of technologies originally developed
for use on virtual private networks. The latter almost certainly uses
extremely heavy CGNAT - that's the main way they obscure the origin of
the traffic.
I mean a work VPN.
So almost certainly only carries traffic for your work network. Any
traffic for other addresses will still be seen to come from whatever
public address you have.
--
Graham J
Chris
2024-10-22 06:03:50 UTC
Reply
Permalink
Post by Graham J
Post by Chris
Post by David Woolley
Post by Chris
Should have added, it also happens when connected to a VPN.
By VPN do you mean a virtual private network, or do you mean a public
anonymising service that makes use of technologies originally developed
for use on virtual private networks. The latter almost certainly uses
extremely heavy CGNAT - that's the main way they obscure the origin of
the traffic.
I mean a work VPN.
So almost certainly only carries traffic for your work network. Any
traffic for other addresses will still be seen to come from whatever
public address you have.
Our IT is not that sophisticated. The dozens of services are many, third
party and convoluted so a straightforward tunnel is far simpler.
Graham J
2024-10-22 08:12:58 UTC
Reply
Permalink
Chris wrote:

[snip]
Post by Chris
Post by Graham J
Post by Chris
I mean a work VPN.
So almost certainly only carries traffic for your work network. Any
traffic for other addresses will still be seen to come from whatever
public address you have.
Our IT is not that sophisticated. The dozens of services are many, third
party and convoluted so a straightforward tunnel is far simpler.
Without clear confirmation from your work IT people I would rather doubt
that.

Ordinarily a VPN to your employer is set up so that traffic for any IP
address on your employer's LAN is routed through the VPN, but all other
traffic goes directly to your ISP.

It is possible to (mis)configure your VPN client so that ALL your
traffic goes via the VPN to your employer's LAN. Thus traffic not
destined for that LAN will be redirected by your employer's VPN endpoint
via the employer's router to the employer's ISP. Your employer would
not normally want that (it means they are having to pay for the
bandwidth that you are using) but potentially it allows them to monitor
all your traffic to see what websites you look at. If they have load
balancing across two or more internet connections (a good idea to
support a larger business and provide resilience) you will see the
problem you describe.

But if you use a commercial VPN service (one that you explicitly pay
for, such as NordVPN, or the one that comes with the antivirus product
that you pay for) the purpose of that is to hide your IP address which
means that all your traffic goes through the VPN. The public IP address
at their end of the VPN could be in another country (which is one reason
why you might use their service) and it is probably shared between many
users of that VPN service so could well get compromised.

We need much more technical detail to speculate further.
--
Graham J
Chris
2024-10-22 09:20:17 UTC
Reply
Permalink
Post by Graham J
[snip]
Post by Chris
Post by Graham J
Post by Chris
I mean a work VPN.
So almost certainly only carries traffic for your work network. Any
traffic for other addresses will still be seen to come from whatever
public address you have.
Our IT is not that sophisticated. The dozens of services are many, third
party and convoluted so a straightforward tunnel is far simpler.
Without clear confirmation from your work IT people I would rather doubt
that.
I know it for a fact. People have asked for split tunnelling for, for
example, being able to print to their home LAN printer, but it hasn't been
enabled.

Also any speed test site shows that the "ISP" is my work.
Post by Graham J
Ordinarily a VPN to your employer is set up so that traffic for any IP
address on your employer's LAN is routed through the VPN, but all other
traffic goes directly to your ISP.
Not in my experience.
Graham J
2024-10-22 09:59:18 UTC
Reply
Permalink
Chris wrote:

[snip]
Post by Chris
Post by Graham J
Without clear confirmation from your work IT people I would rather doubt
that.
I know it for a fact. People have asked for split tunnelling for, for
example, being able to print to their home LAN printer, but it hasn't been
enabled.
A VPN client in your router would avoid this - but may mean you have to
change your router.
Post by Chris
Also any speed test site shows that the "ISP" is my work.
So ask your work IT people to help resolve the problem. Particularly if
the sites giving the problem are sites you need for work. In fact, your
work IT people should be able to replicate the issue on their computers.

Also worth trying a different VPN (not the one provided by your
employer) - perhaps a free trial?
--
Graham J
grinch
2024-10-25 09:12:33 UTC
Reply
Permalink
Post by Chris
Post by Graham J
[snip]
Post by Chris
Post by Graham J
Post by Chris
I mean a work VPN.
So almost certainly only carries traffic for your work network. Any
traffic for other addresses will still be seen to come from whatever
public address you have.
Our IT is not that sophisticated. The dozens of services are many, third
party and convoluted so a straightforward tunnel is far simpler.
Without clear confirmation from your work IT people I would rather doubt
that.
I know it for a fact. People have asked for split tunnelling for, for
example, being able to print to their home LAN printer, but it hasn't been
enabled.
As that is a major security risk I'm not surprised ,particularly for
windows users.


If your IT department has done its job properly you should not be able
to see your home LAN at all while you are connected to the office LAN.

Where I worked any attempt to subvert the above was seen as gross
misconduct and would lead to a dismissal.

If you can't get to work related websites that is your IT departments
issue to resolve .
Theo
2024-10-25 11:46:55 UTC
Reply
Permalink
Post by grinch
As that is a major security risk I'm not surprised ,particularly for
windows users.
If your IT department has done its job properly you should not be able
to see your home LAN at all while you are connected to the office LAN.
You *have* to be able to see your home LAN, as that's how your packets get
out. Or, at the very least, your LAN router.

Also, if you want (are allowed) to print locally you need to be able to see
your local network printer.

Preventing mixing of web requests from one origin to another (eg a public
web page including an image from a local server) is browser security 101,
and is a major browser vulnerability if that's allowed.
Post by grinch
If you can't get to work related websites that is your IT departments
issue to resolve .
Indeed, although if they are public websites (eg SaaS sites like MS
Office, Google Docs, Github, Salesforce, etc) then they may not have any
insight or control into how their networking works.

Theo
Chris
2024-10-25 18:05:42 UTC
Reply
Permalink
Post by Theo
Post by grinch
As that is a major security risk I'm not surprised ,particularly for
windows users.
If your IT department has done its job properly you should not be able
to see your home LAN at all while you are connected to the office LAN.
You *have* to be able to see your home LAN, as that's how your packets get
out. Or, at the very least, your LAN router.
Also, if you want (are allowed) to print locally you need to be able to see
your local network printer.
Preventing mixing of web requests from one origin to another (eg a public
web page including an image from a local server) is browser security 101,
and is a major browser vulnerability if that's allowed.
Post by grinch
If you can't get to work related websites that is your IT departments
issue to resolve .
Indeed, although if they are public websites (eg SaaS sites like MS
Office, Google Docs, Github, Salesforce, etc) then they may not have any
insight or control into how their networking works.
Thanks for all the help to all. It has been raised with IT, but I wondered
if the wisdom here knew of issues regarding XSRF and mobile networks.

The two sites affected most recently were both public: one based in
Germany, and not operated by my work, and the other a SaaS (worktribe).

Both times it happened during login which made me suspect there's session
token shenanigans with the authentication server. I'm probably a bit beyond
my ken in this stuff, however.
Theo
2024-10-25 20:31:29 UTC
Reply
Permalink
Post by Chris
The two sites affected most recently were both public: one based in
Germany, and not operated by my work, and the other a SaaS (worktribe).
Both times it happened during login which made me suspect there's session
token shenanigans with the authentication server. I'm probably a bit beyond
my ken in this stuff, however.
It could be something related to 'login with MS/Google/FB/whatever' if your
work uses those to authenticate at random sites. IT might have some visibility
there.

Theo
Chris
2024-10-27 08:00:12 UTC
Reply
Permalink
Post by Theo
Post by Chris
The two sites affected most recently were both public: one based in
Germany, and not operated by my work, and the other a SaaS (worktribe).
Both times it happened during login which made me suspect there's session
token shenanigans with the authentication server. I'm probably a bit beyond
my ken in this stuff, however.
It could be something related to 'login with MS/Google/FB/whatever' if your
work uses those to authenticate at random sites. IT might have some visibility
there.
That's what I thought too, but only one site uses works AD auth. The other
didn't.

That's why I considered it a mobile internet issue, as the remaining common
factor.

grinch
2024-10-26 10:13:29 UTC
Reply
Permalink
Post by Theo
Post by grinch
As that is a major security risk I'm not surprised ,particularly for
windows users.
If your IT department has done its job properly you should not be able
to see your home LAN at all while you are connected to the office LAN.
You *have* to be able to see your home LAN, as that's how your packets get
out. Or, at the very least, your LAN router.
Thanks for stating the blindingly obvious ,I presumed anybody who has
enough knowledge to use the Usenet could have worked that out for
themselves.
Post by Theo
Also, if you want (are allowed) to print locally you need to be able to see
your local network printer.
Interesting everywhere I worked from 2000 until I retired in 2019
,printing anything was frowned on and banded at home for security
reasons.As was any connection to home devices for the same reason.
Loading...