This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Talk:Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet

From OWASP
Revision as of 15:02, 27 March 2017 by Eelgheez (talk | contribs) (Identifying cross-origin requests: Clarified)

Jump to: navigation, search

Is this statement really correct?

This means that while an attacker can send any value he wants with a malicious CSRF request, the attacker will be unable to modify or read the value stored in the cookie.

This seems incorrect. An attacker can modify cookies from a sibling domain. See https://media.blackhat.com/eu-13/briefings/Lundeen/bh-eu-13-deputies-still-confused-lundeen-wp.pdf for examples. Thus double-submit csrf cookie should also be checked for some tie to the logged in session so that it can't just be pushed in.

Jim July 27, 2014: What about "This means that while an attacker can send any value he wants with a malicious CSRF request, the attacker would be unable to modify or read the value stored in the cookie other than via cross site scripting. (And cross site scripting resistance is a requirement for good CSRF defense to begin with."

--David Ohsie (talk) 09:47, 30 July 2014 (CDT) I don't think that this is 100% accurate either. Cookies can be written via CSS in a sibling domain, so that even if the application in not vulnerable to CSS, if the sibling domain application is vulnerable to CSS, or is simply not trustworthy, cookies can be written. Cookies can also be written via MITM attacks on http. So the application in question can be completely "secure", but it's cookies can be tampered with anyhow. That is why the paper referenced above suggests that the CSRF token must in some way be tied to the user's session or identity and the "naive" double submit method is vulnerable. At the very least, with naive double submit, the application should check to make sure that there is only one CSRF token cookie value as this will mitigate some attempts to write the cookie from another domain.

Jim July 30, 2014: Ok I got it. Can you make your change live in the document itself to clarify this? Or hey, the entire CSRF Defense cheat sheet needs to be fully re-written and made more concise and more of a "cheat" for developers. Are you interested in taking this over? Aloha! Ps: I'm [email protected] if you want to take this to email.

--David Ohsie (talk) 11:45, 31 July 2014 (CDT)I'll take a crack at editing, although I don't know if I am capable of doing a rewrite. I didn't want to make any changes without some prior discussion.

Jim July 31 2014, Thank you - any help is appreciated. I'm happy to discuss any changes you wish to make. I think this entire page needs a re-do, but happy to do that one change at a time. Aloha!

Confusion About Encrypted Token Pattern

Based on discussion about the encrypted token pattern taking place on security.stackexchange.com, I think that the discussion about the encrypted token pattern should include provide an explanation for the use of the nonce. Is the nonce supposed to be validated? If so, the validation section needs some additional text. Is the nonce there to provide some cryptographic protection? If so, what?

Neil Smithline, http://www.neilsmithline.com 14:45, 15 November 2015 (CST)


CSRF Prevention via Alternative HTTP Methods

Browsers permit cross-domain form submission, but only via GET and POST methods. Modern browsers do not allow you to set the method to anything else, cross domain, unless CORS is used. One can leverage this to prevent CSRF without the need for cryptographic tokens. If you code your site so that material changes to stored data (record updates, other writes) happen only via other HTTP methods (such as PUT, DELETE, PATCH, etc), then no other domain can submit those changes. Of course this means your site will need to use AJAX to submit changes, but this is a very common development pattern already. Definitely interested in any technical discussion on this idea, but if no one sees a problem with it, I think we should add it to the page as an option.

-- TimMorgan (talk) 14:01, 19 December 2015 (CST)

Identifying cross-origin requests

Thanks to the September 15, 2016 change, I see that CSRF can be reliably prevented by the action handlers checking the Origin header (or, in the absence of that, the Referer header). This is because the CSRF scenario abuses unsuspecting users' authorization, where the users generally run an up-to-date browser.

In the case of allowing a broad list of allowed UI origins, the extra checks such as those of anti-CSRF tokens could help mitigate. Perhaps, this is what was meant by the phrase "we recommend a second check as an additional precaution to really make sure"? (The style and the title of the article seems to put the burden of proof on the reader. The existing prescriptive style encourages that, so I wonder if OWASP could use a descriptive style instead). --Eelgheez (talk) 10:02, 27 March 2017 (CDT)