Skip to content

fix(csrf): Fix SCRF vulnerability in OTA examples and libraries #11530

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 5 commits into from
Jul 2, 2025
Merged

fix(csrf): Fix SCRF vulnerability in OTA examples and libraries #11530

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
450c640
fix(csrf): Fix SCRF vulnerability in WebUpdate.ino
me-no-dev Jun 30, 2025
a87ee5f
fix(csrf): Prevent CSRF on other OTA examples
me-no-dev Jun 30, 2025
5f74e65
Merge branch 'master' into bugfix/csrf
me-no-dev Jun 30, 2025
b29b5e8
fix(csrf): Require auth user and pass to be changed
me-no-dev Jul 2, 2025
c94ffcf
ci(pre-commit): Apply automatic fixes
pre-commit-ci-lite[bot] Jul 2, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 19 additions & 0 deletions libraries/HTTPUpdateServer/src/HTTPUpdateServer.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@ static const char serverIndex[] PROGMEM =
</body>
</html>)";
static const char successResponse[] PROGMEM = "<META http-equiv=\"refresh\" content=\"15;URL=/\">Update Success! Rebooting...";
static const char * csrfHeaders[2] = {"Origin", "Host"};

class HTTPUpdateServer {
public:
Expand Down Expand Up @@ -56,6 +57,9 @@ class HTTPUpdateServer {
_username = username;
_password = password;

// collect headers for CSRF verification
_server->collectHeaders(csrfHeaders, 2);

// handler for the /update form page
_server->on(path.c_str(), HTTP_GET, [&]() {
if (_username != emptyString && _password != emptyString && !_server->authenticate(_username.c_str(), _password.c_str())) {
Expand All @@ -69,6 +73,10 @@ class HTTPUpdateServer {
path.c_str(), HTTP_POST,
[&]() {
if (!_authenticated) {
if (_username == emptyString || _password == emptyString) {
_server->send(200, F("text/html"), String(F("Update error: Wrong origin received!")));
return;
}
return _server->requestAuthentication();
}
if (Update.hasError()) {
Expand Down Expand Up @@ -100,6 +108,17 @@ class HTTPUpdateServer {
return;
}

String origin = _server->header(String(csrfHeaders[0]));
String host = _server->header(String(csrfHeaders[1]));
String expectedOrigin = String("http://") + host;
if (origin != expectedOrigin) {
if (_serial_output) {
Serial.printf("Wrong origin received! Expected: %s, Received: %s\n", expectedOrigin.c_str(), origin.c_str());
}
_authenticated = false;
return;
}

if (_serial_output) {
Serial.printf("Update: %s\n", upload.filename.c_str());
}
Expand Down
33 changes: 31 additions & 2 deletions libraries/Update/examples/OTAWebUpdater/OTAWebUpdater.ino
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,11 +7,16 @@

#define SSID_FORMAT "ESP32-%06lX" // 12 chars total
//#define PASSWORD "test123456" // generate if remarked
const char * authUser = "admin";
const char * authPass = "admin";
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd suggest generating a random password that you print to the console to let the user know what it is over using a hard-coded password.


WebServer server(80);
Ticker tkSecond;
uint8_t otaDone = 0;

const char * csrfHeaders[2] = {"Origin", "Host"};
static bool authenticated = false;

const char *alphanum = "0123456789!@#$%^&*abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
String generatePass(uint8_t str_len) {
String buff;
Expand All @@ -38,13 +43,17 @@ void apMode() {
}

void handleUpdateEnd() {
if (!authenticated) {
return server.requestAuthentication();
}
server.sendHeader("Connection", "close");
if (Update.hasError()) {
server.send(502, "text/plain", Update.errorString());
} else {
server.sendHeader("Refresh", "10");
server.sendHeader("Location", "/");
server.send(307);
delay(500);
ESP.restart();
}
}
Expand All @@ -56,18 +65,34 @@ void handleUpdate() {
}
HTTPUpload &upload = server.upload();
if (upload.status == UPLOAD_FILE_START) {
authenticated = server.authenticate(authUser, authPass);
if (!authenticated) {
Serial.println("Authentication fail!");
otaDone = 0;
return;
}
String origin = server.header(String(csrfHeaders[0]));
String host = server.header(String(csrfHeaders[1]));
String expectedOrigin = String("http://") + host;
if (origin != expectedOrigin) {
Serial.printf("Wrong origin received! Expected: %s, Received: %s\n", expectedOrigin.c_str(), origin.c_str());
authenticated = false;
otaDone = 0;
return;
}

Serial.printf("Receiving Update: %s, Size: %d\n", upload.filename.c_str(), fsize);
if (!Update.begin(fsize)) {
otaDone = 0;
Update.printError(Serial);
}
} else if (upload.status == UPLOAD_FILE_WRITE) {
} else if (authenticated && upload.status == UPLOAD_FILE_WRITE) {
if (Update.write(upload.buf, upload.currentSize) != upload.currentSize) {
Update.printError(Serial);
} else {
otaDone = 100 * Update.progress() / Update.size();
}
} else if (upload.status == UPLOAD_FILE_END) {
} else if (authenticated && upload.status == UPLOAD_FILE_END) {
if (Update.end(true)) {
Serial.printf("Update Success: %u bytes\nRebooting...\n", upload.totalSize);
} else {
Expand All @@ -78,6 +103,7 @@ void handleUpdate() {
}

void webServerInit() {
server.collectHeaders(csrfHeaders, 2);
server.on(
"/update", HTTP_POST,
[]() {
Expand All @@ -92,6 +118,9 @@ void webServerInit() {
server.send_P(200, "image/x-icon", favicon_ico_gz, favicon_ico_gz_len);
});
server.onNotFound([]() {
if (!server.authenticate(authUser, authPass)) {
return server.requestAuthentication();
}
server.send(200, "text/html", indexHtml);
});
server.begin();
Expand Down
41 changes: 36 additions & 5 deletions libraries/WebServer/examples/WebUpdate/WebUpdate.ino
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,11 +11,16 @@
const char *host = "esp32-webupdate";
const char *ssid = "........";
const char *password = "........";
const char * authUser = "admin";
const char * authPass = "admin";
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same feedback here. Generate a random password, and serial print it. I would suggest avoiding having this hard-coded in this example

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think you are missing the point that this is an Arduino basic example, whose purpose is not to secure every possible scenario, but instead to showcase a particular use (the Updater class). No sane person will use admin:admin to secure anything. I can put comment to change the default values or define the user/pass as dots (like the SSID and Pass for WiFi), but anything beyond that is over-complication of otherwise basic example that needs to be readable and easy to understand by novice users. Same goes for uses behind proxies, sessions, etc things that are beyond the scope of the examples and whose implementation is not straight-forward on memory constrained devices. Surely feel free to to propose changes in form of Pull Request that will satisfy your requirements :)

Using Host and Origin was stated to be enough of a protection by the links in your initial report. Session tokens are not an option in our case at all.


WebServer server(80);
const char *serverIndex =
"<form method='POST' action='/update' enctype='multipart/form-data'><input type='file' name='update'><input type='submit' value='Update'></form>";

const char * csrfHeaders[2] = {"Origin", "Host"};
static bool authenticated = false;

void setup(void) {
Serial.begin(115200);
Serial.println();
Expand All @@ -24,37 +29,63 @@ void setup(void) {
WiFi.begin(ssid, password);
if (WiFi.waitForConnectResult() == WL_CONNECTED) {
MDNS.begin(host);
server.collectHeaders(csrfHeaders, 2);
server.on("/", HTTP_GET, []() {
if (!server.authenticate(authUser, authPass)) {
return server.requestAuthentication();
}
server.sendHeader("Connection", "close");
server.send(200, "text/html", serverIndex);
});
server.on(
"/update", HTTP_POST,
[]() {
if (!authenticated) {
return server.requestAuthentication();
}
server.sendHeader("Connection", "close");
server.send(200, "text/plain", (Update.hasError()) ? "FAIL" : "OK");
ESP.restart();
if (Update.hasError()) {
server.send(200, "text/plain", "FAIL");
} else {
server.send(200, "text/plain", "Success! Rebooting...");
delay(500);
ESP.restart();
}
},
[]() {
HTTPUpload &upload = server.upload();
if (upload.status == UPLOAD_FILE_START) {
Serial.setDebugOutput(true);
authenticated = server.authenticate(authUser, authPass);
if (!authenticated) {
Serial.println("Authentication fail!");
return;
}
String origin = server.header(String(csrfHeaders[0]));
String host = server.header(String(csrfHeaders[1]));
String expectedOrigin = String("http://") + host;
if (origin != expectedOrigin) {
Serial.printf("Wrong origin received! Expected: %s, Received: %s\n", expectedOrigin.c_str(), origin.c_str());
authenticated = false;
return;
}

Serial.printf("Update: %s\n", upload.filename.c_str());
if (!Update.begin()) { //start with max available size
Update.printError(Serial);
}
} else if (upload.status == UPLOAD_FILE_WRITE) {
} else if (authenticated && upload.status == UPLOAD_FILE_WRITE) {
if (Update.write(upload.buf, upload.currentSize) != upload.currentSize) {
Update.printError(Serial);
}
} else if (upload.status == UPLOAD_FILE_END) {
} else if (authenticated && upload.status == UPLOAD_FILE_END) {
if (Update.end(true)) { //true to set the size to the current progress
Serial.printf("Update Success: %u\nRebooting...\n", upload.totalSize);
} else {
Update.printError(Serial);
}
Serial.setDebugOutput(false);
} else {
} else if(authenticated) {
Serial.printf("Update Failed Unexpectedly (likely broken connection): status=%d\n", upload.status);
}
}
Expand Down
Loading