Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-40380

AJAX callbacks generate 403s for expired sessions which can trigger an IPS

    XMLWordPrintable

Details

    Description

      Hi,

      I kept getting locked out of company systems and we eventually tracked it down to our intrusion protection system, OSSEC, blocking me due to these calls on a Jenkins server:

      "POST /ajaxExecutors HTTP/1.1" 403

      Turns out if you leave a Jenkins tab open in a browser and the session times out, Jenkins goes right on polling for build information with AJAX (I've tagged core and the Dashboard View Plugin, because this happens on dashboard pages I think, but I'm not 100% on that). The consequence of this is a continuous string of 403 response codes which, after a little while, will trigger any IPS worth its salts to block the IP address - which is exactly what happens to me.

      Why Jenkins bug? Because most applications I've come across handle this by redirecting folk to the login page if they get a 403 from an AJAX call, not keeping on hammering on those 403s. If Jenkins did that, there'd be one 403, a redirect to login and there the browser tab would sit, showing a login screen. And an IPS would not be triggered.

      Edit: removed the dashboard tag, realised it's definitely the Build Executor div causing this. Also, it's been noted to me this is a regression as the Build Executor box didn't used to do this. Perhaps the response code has changed or the way Jenkins handles session timeouts?

      Hope that makes sense!

      Thanks,

      Greg

      Attachments

        Issue Links

          Activity

            gregharvey Greg Harvey created issue -
            gregharvey Greg Harvey made changes -
            Field Original Value New Value
            Epic Link JENKINS-31156 [ 165812 ]
            gregharvey Greg Harvey made changes -
            Description Hi,

            I kept getting locked out of company systems and we eventually tracked it down to our intrusion protection system, OSSEC, blocking me due to these calls on a Jenkins server:

            {{"POST /ajaxExecutors HTTP/1.1" 403
            }}

            Turns out if you leave a Jenkins tab open in a browser and the session times out, Jenkins goes right on polling for build information with AJAX (I've tagged core and the Dashboard View Plugin, because this happens on dashboard pages I _think_, but I'm not 100% on that). The consequence of this is a continuous string of 403 response codes which, after a little while, will trigger an IPS worth its salts to block the IP address - which is exactly what happens to me.

            Why Jenkins bug? Because most applications I've come across handle this by redirecting folk to the login page if they get a 403 from an AJAX call, not keeping on hammering on those 403s. If Jenkins did that, there'd be one 403, a redirect to login and there the browser tab would sit, showing a login screen. And an IPS would not be triggered.

            Hope that makes sense!

            Thanks,

            Greg
            Hi,

            I kept getting locked out of company systems and we eventually tracked it down to our intrusion protection system, OSSEC, blocking me due to these calls on a Jenkins server:

            {{"POST /ajaxExecutors HTTP/1.1" 403}}

            Turns out if you leave a Jenkins tab open in a browser and the session times out, Jenkins goes right on polling for build information with AJAX (I've tagged core and the Dashboard View Plugin, because this happens on dashboard pages I _think_, but I'm not 100% on that). The consequence of this is a continuous string of 403 response codes which, after a little while, will trigger an IPS worth its salts to block the IP address - which is exactly what happens to me.

            Why Jenkins bug? Because most applications I've come across handle this by redirecting folk to the login page if they get a 403 from an AJAX call, not keeping on hammering on those 403s. If Jenkins did that, there'd be one 403, a redirect to login and there the browser tab would sit, showing a login screen. And an IPS would not be triggered.

            Hope that makes sense!

            Thanks,

            Greg
            gregharvey Greg Harvey made changes -
            Description Hi,

            I kept getting locked out of company systems and we eventually tracked it down to our intrusion protection system, OSSEC, blocking me due to these calls on a Jenkins server:

            {{"POST /ajaxExecutors HTTP/1.1" 403}}

            Turns out if you leave a Jenkins tab open in a browser and the session times out, Jenkins goes right on polling for build information with AJAX (I've tagged core and the Dashboard View Plugin, because this happens on dashboard pages I _think_, but I'm not 100% on that). The consequence of this is a continuous string of 403 response codes which, after a little while, will trigger an IPS worth its salts to block the IP address - which is exactly what happens to me.

            Why Jenkins bug? Because most applications I've come across handle this by redirecting folk to the login page if they get a 403 from an AJAX call, not keeping on hammering on those 403s. If Jenkins did that, there'd be one 403, a redirect to login and there the browser tab would sit, showing a login screen. And an IPS would not be triggered.

            Hope that makes sense!

            Thanks,

            Greg
            Hi,

            I kept getting locked out of company systems and we eventually tracked it down to our intrusion protection system, OSSEC, blocking me due to these calls on a Jenkins server:

            {{"POST /ajaxExecutors HTTP/1.1" 403}}

            Turns out if you leave a Jenkins tab open in a browser and the session times out, Jenkins goes right on polling for build information with AJAX (I've tagged core and the Dashboard View Plugin, because this happens on dashboard pages I _think_, but I'm not 100% on that). The consequence of this is a continuous string of 403 response codes which, after a little while, will trigger any IPS worth its salts to block the IP address - which is exactly what happens to me.

            Why Jenkins bug? Because most applications I've come across handle this by redirecting folk to the login page if they get a 403 from an AJAX call, not keeping on hammering on those 403s. If Jenkins did that, there'd be one 403, a redirect to login and there the browser tab would sit, showing a login screen. And an IPS would not be triggered.

            Hope that makes sense!

            Thanks,

            Greg
            gregharvey Greg Harvey made changes -
            Component/s dashboard-view-plugin [ 15679 ]
            Assignee Evan Van Dyke [ vandyev ]
            Description Hi,

            I kept getting locked out of company systems and we eventually tracked it down to our intrusion protection system, OSSEC, blocking me due to these calls on a Jenkins server:

            {{"POST /ajaxExecutors HTTP/1.1" 403}}

            Turns out if you leave a Jenkins tab open in a browser and the session times out, Jenkins goes right on polling for build information with AJAX (I've tagged core and the Dashboard View Plugin, because this happens on dashboard pages I _think_, but I'm not 100% on that). The consequence of this is a continuous string of 403 response codes which, after a little while, will trigger any IPS worth its salts to block the IP address - which is exactly what happens to me.

            Why Jenkins bug? Because most applications I've come across handle this by redirecting folk to the login page if they get a 403 from an AJAX call, not keeping on hammering on those 403s. If Jenkins did that, there'd be one 403, a redirect to login and there the browser tab would sit, showing a login screen. And an IPS would not be triggered.

            Hope that makes sense!

            Thanks,

            Greg
            Hi,

            I kept getting locked out of company systems and we eventually tracked it down to our intrusion protection system, OSSEC, blocking me due to these calls on a Jenkins server:

            {{"POST /ajaxExecutors HTTP/1.1" 403}}

            Turns out if you leave a Jenkins tab open in a browser and the session times out, Jenkins goes right on polling for build information with AJAX -(I've tagged core and the Dashboard View Plugin, because this happens on dashboard pages I _think_, but I'm not 100% on that)-. The consequence of this is a continuous string of 403 response codes which, after a little while, will trigger any IPS worth its salts to block the IP address - which is exactly what happens to me.

            Why Jenkins bug? Because most applications I've come across handle this by redirecting folk to the login page if they get a 403 from an AJAX call, not keeping on hammering on those 403s. If Jenkins did that, there'd be one 403, a redirect to login and there the browser tab would sit, showing a login screen. And an IPS would not be triggered.

            Edit: removed the dashboard tag, realised it's definitely the Build Executor div causing this. Also, it's been noted to me this is a regression as the Build Executor box didn't used to do this. Perhaps the response code has changed or the way Jenkins handles session timeouts?

            Hope that makes sense!

            Thanks,

            Greg
            danielbeck Daniel Beck made changes -
            Epic Link JENKINS-31156 [ 165812 ]
            danielbeck Daniel Beck made changes -
            Link This issue duplicates JENKINS-40344 [ JENKINS-40344 ]
            danielbeck Daniel Beck made changes -
            Resolution Duplicate [ 3 ]
            Status Open [ 1 ] Resolved [ 5 ]

            People

              Unassigned Unassigned
              gregharvey Greg Harvey
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: