W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2014

Re: CORS and CSRF protection

From: Brad Hill <hillbrad@gmail.com>
Date: Wed, 16 Jul 2014 16:04:02 -0700
Message-ID: <CAEeYn8hRQj7vjGmz7ZkPOVf9v2FujD4vcLVfJ2o5Fp3_uMGr4w@mail.gmail.com>
To: Monsur Hossain <monsur@gmail.com>
Cc: Jim Manico <jim.manico@owasp.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Monsur,

  This isn't really a topic for this list.  I might suggest OWASP or
WASC as groups that can work on practical security patterns.

  By way of a short answer, you are correct that double-submit cookies
are really only appropriate when all valid requests are expected to
come same-origin.  A variety of other patterns are possible.  Some are
based on redirects, such as the one you hypothesize.  There are more
established and well-analyzed versions of such protocols including
OAuth, OAuth2 and SAML you might want to look into.  Another approach
could be to use postMessage() to share a CSRF secret to share scoped,
cross-origin tokens in a purely-client-side implementation.

cheers,

Brad

On Wed, Jul 16, 2014 at 3:06 PM, Monsur Hossain <monsur@gmail.com> wrote:
> Hi there. Sorry to dredge up this old thread, but I'm having trouble
> understanding how Double Submit Cookies would work with CORS. Imagine I have
> an HTML page at http://client.example.com that makes a CORS POST request to
> http://api.example.com. Double Submit Cookies relies on a cookie and a
> request parameter having the same value. However, in the case of CORS, the
> request originates from http://client.example.com, but the cookie will be
> from http://api.example.com.  There is no way for client.example.com to read
> api.example.com's cookie and included it in the request. Therefore,
> api.example.com needs some mechanism to give client.example.com the value of
> the CSRF token.
>
> One way to do this is after logging in to api.example.com, set a random
> number in a cookie (separate from the session cookie), and then redirect the
> user to a page on client.example.com with the random number in the query
> string (for example, client.example.com/signin?csrf_token=12345). The client
> would then set its own cookie with the csrf token value. On requests that
> require CSRF protection, the client would do the following:
>
> Grab the csrf token from the client's cookie and include its value in the
> query string (or the POST body)
> Make the XHR request with withCredentials set to true, so that the csrf
> token from the api server is also included in the request
> The server compares the csrf value in the client's query parameter to the
> value in the server's cookie.
>
> However, I am not a security expert, so I have no idea if this is
> reasonable. Is there anyone who can help with this?
>
> Thanks,
> Monsur
>
>
>
>
> On Fri, Apr 4, 2014 at 9:34 AM, Jim Manico <jim.manico@owasp.org> wrote:
>>
>> I would consider the double-cookie submit defense in this situation.
>> Maybe.
>>
>> From
>> https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet
>>
>> Double Submit Cookies
>>
>> Double submitting cookies is defined as sending a random value in both a
>> cookie and as a request parameter, with the server verifying if the cookie
>> value and request value are equal.
>>
>> When a user authenticates to a site, the site should generate a
>> (cryptographically strong) pseudorandom value and set it as a cookie on the
>> user's machine separate from the session id. The site does not have to save
>> this value in any way. The site should then require every sensitive
>> submission to include this random value as a hidden form value (or other
>> request parameter) and also as a cookie value. An attacker cannot read any
>> data sent from the server or modify cookie values, per the same-origin
>> policy. This means that while an attacker can send any value he wants with a
>> malicious CSRF request, the attacker will be unable to modify or read the
>> value stored in the cookie. Since the cookie value and the request parameter
>> or form value must be the same, the attacker will be unable to successfully
>> submit a form unless he is able to guess the random CSRF value.
>>
>> Direct Web Remoting (DWR) Java library version 2.0 has CSRF protection
>> built in as it implements the double cookie submission transparently.
>>
>>
>>
>> On 4/4/14, 7:12 AM, Monsur Hossain wrote:
>>
>> I have a question about this statement in section 4 of the CORS spec,
>> regarding credentialed simple requests:
>>
>> "...resources for which simple requests have significance other than
>> retrieval must protect themselves from Cross-Site Request Forgery (CSRF) by
>> requiring the inclusion of an unguessable token in the explicitly provided
>> content of the request."
>>
>>
>> Does this mean that CSRF protection should be added in order to protect
>> resources from non-CORS requests (e.g. requests without an Origin header,
>> such as JavaScript form.submit()), or does it mean that CSRF protection
>> should be used for all requests (CORS as well as non-CORS)?
>>
>> If the recommendation is that CSRF protection should be used on CORS
>> requests, it raises a few more questions:
>>
>> 1) What protections does CSRF protection add vs validating the Origin
>> header? Both are tokens from the client that can't be spoofed (in the CSRF
>> case, it is an unguessable token, in the Origin case, the origin is a known
>> value, but it can't be overridden by malicious clients)
>>
>> 2) The details of implementing CSRF protection for any cross-origin
>> request seems difficult, at least if you are trying to coordinate a CSRF
>> token across two different servers. The servers need to coordinate a shared
>> secret in order to generate a CSRF token from the client and parse the same
>> CSRF token on the server. Its not as simple as downloading a CSRF package
>> from GitHub and adding it to your server. Is that correct, or am I missing
>> something?
>>
>> Thanks,
>> Monsur
>>
>>
>
Received on Wednesday, 16 July 2014 23:04:30 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:06 UTC