W3C home > Mailing lists > Public > public-webappsec@w3.org > August 2013

Re: Proposed CSRF countermeasure

From: Michael Shema <mshema@qualys.com>
Date: Tue, 27 Aug 2013 13:42:56 -0700
Message-ID: <CA+ri+V4M0wQN_sf3MC=x4O32QPRb7eRq8pubB-OX2hwn+WBhPQ@mail.gmail.com>
To: Brad Hill <hillbrad@gmail.com>
Cc: John Wilander <john.wilander@owasp.org>, public-webappsec <public-webappsec@w3.org>
On Tue, Aug 27, 2013 at 12:54 PM, Brad Hill <hillbrad@gmail.com> wrote:

> I guess I question the consistency of the reasoning here.   On the one
> hand, you say it's a good idea to make server-side decisions, e.g. in a
> WAF, to manage exceptions and set the policy in the first place.   On the
> other, you say it's not a good idea to insist the server have knowledge of
> the invocation safety of its own resources.

The point is in the complexity of identifying, tracking, and managing
server-side decisions. Where CSP tries to mitigate the *impact* of XSS
rather than fix it (everyone still insists on server-side data validation),
this is motivated by the desire to simplify how apps may control a user's
session context with regard to a resource.

My stance is better interpreted as it's not a good idea to expect the
server's knowledge to always be complete or its invocation without flaws.
One example I used was Wordpress' /wp-admin/ directory. Wordpress has
strong anti-CSRF tokens. But some plugins forget to implement them.
Consequently, they become unnecessarily vulnerable. This SOS idea was to
make available a countermeasure that affects how resources receive session
state (i.e. cookies) rather than a countermeasure that makes forgery more
difficult. And do so in a way that might be easier than current

>  Why couldn't decisions about which cookies to strip also be made by a WAF
> with the same level of configuration and knowledge of application structure
> as is needed for SOS?
They could; I wanted to explore stronger ways to establish security between
site and User Agent without intermediary components.


> On Tue, Aug 27, 2013 at 12:45 PM, Michael Shema <mshema@qualys.com> wrote:
>> On Mon, Aug 26, 2013 at 1:39 PM, Brad Hill <hillbrad@gmail.com> wrote:
>>> Thanks for the interesting proposal.  You mentioned briefly in the
>>> original message that you decided not to target cookies with this policy
>>> because they are “already ugly, clunky and broken”.
>>>   I’d like to see more explanation and exploration of why such a policy
>>> doesn't belong as part of the artifact you’re trying to control: either
>>> attached directly to cookies, or as part of the problem statement for
>>> successor session management mechanisms currently under discussion at the
>>> WebSec WG in the IETF.
>>> https://datatracker.ietf.org/doc/draft-ietf-websec-session-continue-prob/
>>>  Note that document does NOT currently include CSRF protections in the
>>> motivation or requirements section.  I'd speak up on websec@ietf.org if
>>> you think it ought to.
>> Part of the motivation behind using a header vs. decorating the cookie
>> was the desire to make retrofitting easier. For example, using an inline
>> proxy/WAF rather than digging into cookie APIs or touching the app's code.
>> (Admittedly, this starts to blur the distinction between design and
>> implementation of a control.) Another was wondering if the SOS concept
>> might be expanded or redirected into controls that affect the instantiation
>> of other objects, of which including cookies with a request are one
>> example. I will make a better case with regard to the cookie (either for or
>> against -- I'm not beholden to the proposal, just the idea of improving
>> countermeasures).
>> Thanks for the reference to the IETF link.
>>>   The complexity cost of introducing a distinct header to modify cookie
>>> behavior independently of Set-Cookie, the implementation cost and
>>> complexity of adding more and independent long-term state to the UA in
>>> addition to cookies, as well as the real performance and manageability cost
>>> of pre-flight requests, are all pretty serious obstacles here, in addition
>>> to the weaknesses and compatability issues mentioned by M. Zalewski.
>> Yes, the "return to" type of URL is the "unsafe-inline" weakness for
>> sites that rely on that kind of pattern and have no additional authz checks
>> on such pages. I do think there are other situations and site architectures
>> for which the proposal could be beneficial and provide strong security. It
>> makes the solution less universal, but not useless.
>> Performance and manageability remain important and deserve some reference
>> data to put it in a good light. I'm working on that.
>>   I see that the exception mechanism is something not easy to store as
>>> client-side state, but I wonder what benefits are gained by having the
>>> server express a policy as part of a pre-flight that the client must then
>>> apply, vs. just having the server decide which cookies it will ignore for a
>>> given request based on a Referer or Origin header?  It will have to anyway,
>>> for legacy UAs.
>>> -Brad
>> Being able to have the server knowledgeably decide which cookies to
>> ignore and when is essentially the problem of CSRF. Building such logic on
>> the server-side would be similar to applying CSRF tokens in terms of an
>> effective countermeasure.
>> One way to look at SOS is through a lens like the state of
>> X-Frame-Options. Sites need to rely on JavaScript-based anti-framing for
>> legacy browsers, but may depend on XFO for modern browsers. CSRF tokens
>> would be a migration path to SOS. Some apps may expect user populations
>> with legacy browsers and find little benefit from this, others may expect
>> modern browsers that support HTML5 features and may find it easier to
>> embrace this approach. (Or an app may have no current protection and find
>> that SOS offers an incremental improvement for some users.)
>> Thanks for your feedback.
>> -Mike
>>> On Tue, Aug 20, 2013 at 12:07 PM, Michael Shema <mshema@qualys.com>wrote:
>>>> On Tue, Aug 20, 2013 at 1:54 AM, John Wilander <john.wilander@owasp.org
>>>> > wrote:
>>>>> 2013/8/15 Mike Shema <mshema@qualys.com>
>>>>>> An SOS policy may be applied to one or more cookies for a web
>>>>>> application on a per-cookie or collective basis. The policy controls
>>>>>> whether the browser includes those cookies during cross-origin requests. (A
>>>>>> cross-origin resource cannot access a cookie from another origin, but it
>>>>>> may generate a request that causes the cookie to be included.)
>>>>> Michal mentioned it but it wasn't clear to me – does your proposal
>>>>> apply only to CORS or to all cross-origin requests (iframes, frame sets,
>>>>> images, scripts, style sheets, form gets/posts etc)?
>>>>>    Regards, John
>>>> It applies to all cross-origin requests since those are the potential
>>>> attack vector for CSRF. In practice, a policy would only be necessary for
>>>> areas with CSRF potential. For example, there's likely no reason to worry
>>>> about CSRF and pulling resources from a CDN, not to mention that could be a
>>>> different origin from the protected target anyway. No requests would be
>>>> prevented, but a cookie could be excluded from a request based on a policy.
>>>> The original reference to CORS was focused on adopting its concept of
>>>> pre-flight requests for the purpose of the browser asking, "Should I
>>>> include or exclude this cookie with a cross-origin request?" (As well as
>>>> being able to cache responses to reduce bandwidth overhead.)
>>>> Many sites expect incoming cross-origin requests. Not all incoming
>>>> requests touch a resource that carries risk with regard to CSRF. Hence, the
>>>> proposal aims to allow an exception-based policy where it would (or at
>>>> least, should) be easy to accommodate "safe" requests while still being
>>>> able to block cookies (i.e. a security context) for sensitive resources.
>>>> Thanks,
>>>> Mike
Received on Tuesday, 27 August 2013 20:43:25 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:34 UTC