CSRF protections

Do you have CSRF attack protection?

If someone will use such attack on website to point to 192.168.8.1? This means that this router can be hacked? Is there any way to protect from it

Do you have HTTPS hajack attack protection? I mean do you provide totally different HTTPS certs for each router (for admin panel) or they are all the same on all routers? If the same what stops attacker to just extract cert from your firmware and do MITM attack on known GL router? Can you consider generating new certificate on first boot (or after firmware reset)?

@moderators

Yep, they are generated on first start as far as I checked it. But since they are all self-signed … it’s not really security (spoken of trust). If you don’t import it into your trust store you will not know if it changed.

Hmm, what do you mean with router being hacked?

Do you mean a local attack?, not directly but if the attacker succeeds he can decrypt the https traffic, though like @admon said you can store it in your trusted certs, it will then immediately stop the connection.

Such attack is highly unlikely, and probably often happens from a upstream scenario, but because of the firewalling behaviour what a router is supposed to do, it will not work.

If you want to replace the self-signed cert by a real one, you can try: [Script] Let's encrypt for GL.iNet router HTTPs access

Then you might access your router through your DDNS address (which works even inside your network)

Good point!

To import I need to export it first. How to export?

For home - you are right (probably).
But for public connections or shared WiFi (for example if you are sharing WiFi with neighbours) it can happen.

It will decrease security as it will open router to public network. This can cause brute force and you can NOT prevent this as attacker will have unlimited time.

Also if used modem (cellular network to WiFi) DDNS won’t work (as in my case).

Moreover, you can maliciously point DDNS to any IP (even phishing one (for example phishing proxy)) because you must only know SN and device ID to make this attack.

And no, HTTPS will NOT prevent this attack. Because attacker do something like this:
Your router → real HTTPS → attacker server → attacker HTTPS or HTTP → you

I am NOT recommend to use DDNS at all. If you need such feature - consider GoodCloud or something like reverse VPN cloudflared. But both of methods will decrease your security more or less.

It does not. Enabling DDNS will not make your router available to the internet.

That’s not how this attacks work.

Can you explain please? I think we have misunderstanding

DDNS will map a DNS entry (from the GL.iNet DDNS service) to your public IP. While running my script, it will indeed open a port (TCP/80) but only for ~10 seconds.


The reason why I said it’s an option: By getting an cert from Let’s encrypt it’s trusted by your browser automatically so you would see if someone tries to hijack the connection.

Yes. This is misunderstanding :stuck_out_tongue_closed_eyes:

I meant permanently use DDNS :sweat_smile:

This is fair. But import self-signed one should be enough, isn’t it?

Because real cert must be updated after some period of time, self signed one can be granted for 10000 days (as example)

It depends on how good you understand the process of cert creation / cert validation.

I would simply go with my script (because that is why I created it) - it will update the cert automatically and the cert is trusted by your browsers automatically (so no import in different devices, which is f.e. really painful in iOS)

For truly get security + trust you need to create your own CA and create a self-signed cert from this CA.


Or you can just go with the current installed one and… I guess… no one would try to hack your homerouter.

I believe in that case you should also be fine atleast how it is defined as.

Lets say you are at a public wifi, you set your router up as repeater, then repeater works as wan, meaning the web interface is not accessible and any other direct inbound traffic gets blocked by the firewall, however there might be tools to even mitm connections but not on the local segment so the router web is considered safe, but external web is not, in that case you might want to use a vpn.

Its all about getting the certificate before it hits the router, that is why it is more likely to happen upstream, but upstream does not know about your local network.

However if you really want a open wifi network then i suggest using wifi isolation and maybe adding lan isolation aswell so lan is on a different network, then they can abuse arp to become a router but nothing will respond so it will fail :+1:.

Did you mean this:

#!/bin/bash

CERT_VALIDITY=3650

openssl genrsa -out ca.key 2048

openssl req -x509 -new -nodes -key ca.key -sha256 -days $CERT_VALIDITY -out ca.crt

openssl genrsa -out server.key 2048

openssl req -new -key server.key -out server.csr

openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days $CERT_VALIDITY -sha256

openssl x509 -in server.crt -text -noout

echo "Self-signed certificate created successfully!"

@xize11 i mean this:

Copy/paste description from AI

“A CSRF attack on a router admin panel is a type of web application vulnerability where an attacker can trick a legitimate user into performing unintended actions on the router’s administration interface. This could include changing the router’s settings, such as the Wi-Fi password, enabling remote access, or even completely taking over the router.

The attack works by exploiting the fact that the router’s admin panel trusts any requests coming from a user who is already authenticated and logged in. The attacker crafts a malicious request, often hidden in an image or a link, and tricks the victim into inadvertently sending that request to the router while they are already logged in. This allows the attacker to perform actions on the router as if they were the legitimate user.

The risk with this type of attack is that it can give an attacker full control over the router and the network it manages, potentially allowing them to intercept traffic, monitor user activity, or even use the router as a launching point for further attacks on connected devices. Proper security measures, such as implementing CSRF tokens and other anti-CSRF protections, are important to mitigate this type of vulnerability.”

It does not make sense to use CA just because you want to use CA.
Without deeply understanding of what you do there and why … it’s just a waste of time.

I don’t understand what you are trying to achieve at all.

I want to make my router access via HTTPS (as I regularly access admin panel) and do not have possible issues with certificate forging by bad actors :stuck_out_tongue_closed_eyes:

In that case, your way is the correct one, even if it does not make sense to create a CA just for one device. You need to keep the CA cert safe. And you need to import it on all devices.

Why do you suspect that someone will try to do a MITM attack within your local LAN? :gl_emoji_confused:

Local LAN? To access local LAN you need to be connected to my network. If I would use HTTP, won’t it make MITM possible to bad actors without accessing LAN directly (aka sniffing maybe?). Or I gone by wrong way?

For MITM on the LAN you need to access the LAN.

I mean can bad actor see all traffic on LAN without connecting to my network if it is not HTTPS?

Like “monitoring mode” on Alpha adapter?

See this or this or this

What.

No one can read your traffic on LAN without connecting to your LAN. No matter if you use HTTPs, HTTP or any other protocol.

But it is unencrypted, isn’t it? Or I just have to setup password (not only “MAC allow list”)?

Now I don’t understand it at all. You confused me :sweat_smile: