Merge pull request #48 from freelawproject/headers

feat(headers): Add security headers
freelawproject · Aug 3, 2021 · cd33651 · cd33651
2 parents 64c6444 + 1a5b371
commit cd33651
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 16 deletions.
diff --git a/netlify.toml b/netlify.toml
@@ -0,0 +1,13 @@
+[[headers]]
+    for = "/*"
+    [headers.values]
+        Strict-Transport-Security = 'max-age=63072000; includeSubdomains; preload'
+
+        X-Frame-Options = "DENY"
+        X-Content-Type-Options = "nosniff"
+        Referrer-Policy = 'same-origin'
+
+        # This one only applies to older browsers, and getting good information about what it does it hard.
+        # It is superceded by CSP headers, but still useful in old browsers.
+        X-XSS-Protection = "1; mode=block"
+
diff --git a/posts/pacer-vulnerability-poc.mdx b/posts/pacer-vulnerability-poc.mdx
@@ -9,7 +9,7 @@ type: page
 This page is an explanation and proof of concept (POC) of a [cross-site request forgery vulnerability][csrf] (CSRF) identified by Free Law Project while gathering data from the PACER websites.
 
 
-### What this Vulnerability Allows
+## What this Vulnerability Allows
 
 This vulnerability allows any website to use a visitor's PACER account (their cookie) to download content from PACER including docket reports and PDFs. We also believe it allows a malicious website to upload documents to the ECF website, though this is harder to demonstrate without a testing account. 
 
@@ -26,7 +26,7 @@ For the Administrative Office of the courts, this vulnerability could create cha
 [debt]: https://www.pacer.gov/psc/faq.html#HC_GP23
 
 
-### Is this Vulnerability Already Being Exploited?
+## Is this Vulnerability Already Being Exploited?
 
 It's quite possible this vulnerability is being exploited in the wild.
 
@@ -37,14 +37,14 @@ It's quite possible this vulnerability is being exploited in the wild.
 **Update for technical error:** When exploited, CSRF vulnerabilities can be identified by using the `Referer` headers of the traffic coming in. However if the AO is not monitoring that traffic — which is common — the only time they would know whether this vulnerability was being exploited would be on the billing side when users complained about unauthorized account usage. At that stage, they might connect the dots and review the `Referer` logs, but it's not an obvious jump unless a flood of complaints were coming in.
 
 
-### How this Vulnerability Works
+## How this Vulnerability Works
 
 This vulnerability uses JavaScript that was copy/pasted from PACER. On PACER, this code is run whenever somebody clicks the "View Document" button. In normal usage, the code simply makes an invisible HTML form in the user's browser then submits it. When a PACER server receives this submission, a document is purchased and the user downloads the PDF. We believe (but have been unable to prove so far) that similar code could be written to file documents in ECF. 
 
 CSRF vulnerabilities work because one website can make requests to another website. By default, such requests are made using the cookies for the second website. In practice, these requests must be blocked or explicitly authorized or else CSRF vulnerabilities like this one will occur. 
 
 
-### How to Fix this Vulnerability
+## How to Fix this Vulnerability
 
 CSRF vulnerabilities are typically solved by including a unique token in every `POST` request that is made to a server. Then, when the server receives the token, it can verify whether the request was legitimate. 
 
@@ -56,14 +56,13 @@ Much more detail on the solutions to CSRF issues [can be found at this link][csr
 [csrf]: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet
 
 
-### Proof of Concept (POC)
+## Proof of Concept (POC)
 
 <p className="bg-danger alert">
     <strong>Update</strong>: This POC no longer works due to the vulnerability being resolved. Prior to the resolution, this POC would have downloaded a PDF to your computer using your account on PACER and javascript hosted on this website.
 </p>
 
 
-
 For this POC to work, you must be logged into the PACER Training website. This way, no financial transaction occurs during the POC. The login page for the training site is here (note the user/pass are printed on that page):
 
 <p><a href="https://dcecf.psc.uscourts.gov/cgi-bin/login.pl" target="_blank">https://dcecf.psc.uscourts.gov/cgi-bin/login.pl</a></p>
@@ -76,19 +75,11 @@ Once you are logged in to the training site, clicking the button below will down
 
 Click this button to exploit the CSRF vulnerability:
 
-<form className="form-inline" id="exploit-form">
-  <div className="form-group">
-    <label className="sr-only" for="password">Password</label>
-    <input type="password" className="form-control" id="password" placeholder="Password"/>
-  </div>
-  <PurpleButton>Exploit My PACER Cookie</PurpleButton>
-  <span id="helpBlock" className="help-block">The password is in the information you received about this exploit.</span>
-</form>
+<PurpleButton href="#">Exploit My PACER Cookie (This POC disabled)</PurpleButton>
 
-<script type="text/javascript" src="/js/pacer-exploit.js"></script>
 
 
-### Timeline
+## Timeline
 
 `2017-02-17` Notification by Free Law Project with 90 day deadline for fix.  
 `2017-02-22` Acknowledgement by AO staff.