A bizarre “403 Forbidden” bug-hunting adventure

A bizarre “403 Forbidden” bug-hunting adventure(blog.hellocode.co)

137 points by joshsharp 8 years ago | 42 comments

"NSURLSession oh so helpfully auto-fucking-matically decided I would probably—no, definitely—want to send those cookies in every single request my app did after that. Forever and always."

I imagine it honors the "expires" property of cookies, it just probably wasn't set. Also there's an "ephemeralSessionConfiguration" you can use if you don't want to store the cookies. I enjoyed the article, up until the author blamed the framework for their own ignorance.

joshsharp 8 years ago | |

Sure, the cookies expire (in two weeks I think, in this case) but that doesn't invalidate the issue that the wkwebview silently shares cookies with nsurlsession, nor does it negate the confusing journey of tracking down the bug. Sheesh.

spullara 8 years ago | | |

This is exactly what users want and you are basically breaking it by not honoring the cookies.

mattacular 8 years ago | |

Something like that should at least be documented behavior of the framework. General purpose frameworks are not absolved of all guilt ipso facto... it is up to the developers who create them to provide a reasonable experience for the developers who use them as both tend to need one another.

gumby 8 years ago | | |

Because they think that once they’ve logged on they are logged in and become annoyed if they hVe to do it again

js2 8 years ago |

Oh hey, I know this. From a commit message earlier this year for an SDK I own:

SDKSender: switch to ephemeral NSURLSession and disable cookie storage

Switch to a private (ephemeral) session independent of the app and disables cookies. The SDK otherwise shares the cookie storage with the app, which is not desired. This was causing the SDK to send the $dayjob tracking cookie (and others) to $dayjob API endpoint.

udioron 8 years ago |

Another fix is to disable CSRF checks for all API calls which should not be served by a browser (assuming they use a different auth mechanism which does not involve cookies!). This makes sense since CSRF is a layer that relates to attacks involving browsers/cookie authentication.

yeukhon 8 years ago | |

I always believe /login served by a browser and /login for api should never be the same, to echo your statement they require different handler. It should be two completely different view; but those views call the same login function internally. Perhaps /login is a bad example, but use that in views where authentication and authorization are needed.

captn3m0 8 years ago | |

This is the right solution. CSRF checks make no sense for an API that is accessed by a non-browser clients.

Grollicus 8 years ago |

Despite using Functions he doesn't really understand and yada yada i think this is a good reason to have a dedicated api endpoint and not mix it with domains where the normal web access happens.

exikyut 8 years ago |

This is both awesome and depressing.

But it gave me a really interesting idea: a service/network/community/forum/etc for people to gather and discuss Really Confusing Bugs™ that they're trying to figure out. Not necessarily (?) for contemporary end users (maybe highly technical end users).

This could actually be a really cool concept. Somewhere squarely between HackerOne and StackOverflow - not for exploits, and not for simple(r) stuff, but specifically for complicated and confusing bugs you've been staring at for days/weeks and nothing's making any sense.

I can see a subscription model working for this, even - subscriptions would work both to allow people to provide extended assistance, and also because a contract makes NDAs easier.

Hmm. Thinking about how the subscription model would work... you sign up, configure billing, that then allows you to request extended assistance.

- One way that could work is that people offer you help in return for thanks, which would work like a configurable upvote; higher quality answers attract more rewards. Maybe anyone can reward answers (via the credit in their account) after the fact?

- Another way would be setting a minimum or exact reward amount up front to attract more help.

Regardless of how it worked, the site would have all discussion be public and open by default; you'd have to check a box to make the discussion private, and even after that you'd have the ability to go through and selectively un-redact parts of the conversations so everyone could be helped.

And anyone could sign up and offer answers instantly, and the rewards credited to their account could be cashed out at any time. That would attract new users.

I realize I've just described a weird kind of paid StackOverflow. I am very curious why SE hasn't pursued such an idea. As in, I am 1000% confident they've had this conversation at least once, and I'd really love to hear what the opinions were.

catshirt 8 years ago |

when you have a bizarre request issue... find a working request, find the failing request, compare the headers... problem solved.

taormina 8 years ago | |

That was literally the first thing the author did.

catshirt 8 years ago | | |

is that how you interpreted it? it's not until paragraph 13 (!) where author states:

"Josh realised my app might be somehow getting cookies from visiting our site inside this web view, and then sharing those cookies with AFNetworking's underlying NSURLSession, which is handling my requests."

which would have been clear if they'd checked the cookies of the NSURLSession request.

then, in paragraph 17, the author starts concluding:

> "And so the the CSRF check was failing every time, because I wasn't sending a Referer header, or any other related CSRF bits."

which would have been clear if they tried comparing a working request to a failing request.

and finally,

> "And of course, I didn't even know about these cookies, so I wasn't deleting them on log out"

which leads me believe the author never checked the request at all, let alone before anything else.

i'm ignoring the fact the bug sat for months, and took a second person to fix, and got a write up on the blog... so i'm going to have to assume my advice has an audience (like anyone who would classify this bug as "bizarre").

(not trying to pass judgement on the author here at all... we have all been there :))

stanleydrew 8 years ago |

Not sure about the "fix", since now users can't persist a logged in browser session?

If you aren't using cookies for API auth, is there not some way to configure your server framework to just ignore them if received?

joshsharp 8 years ago | |

They shouldn't be logging in via the webview within the app anyway, so that's moot.

We are using cookies, as the post says, as a fallback authentication so devs can browse the API from a browser if they're logged in to the site.

eridius 8 years ago | | |

Why are devs using a browser to hit API endpoints? There are much better tools. My preferred one is called Paw (https://paw.cloud) but there are others.

CodeWriter23 8 years ago |

Just popped in to say Wireshark would have made short work of this bug.

foota 8 years ago |

Are they using a header or s.t. for their authorization in app, then?

joshsharp 8 years ago | |

Using the Authorization header.

foota 8 years ago | | |

Thanks for following up! Glad y'all found the bug :)

oretoz 8 years ago |