Update: [CSRF] Improving the new Double Submit Cookie sections from #1110 #1143
Comments
advename
added
ACK_WAITING
|
Awesome @advename I agree. |
mackowski
added
ACK_OBTAINED
|
I think the double-submit cookie section is really "over built," and would love to see it simplified. |
|
@jmanico, do you have any suggestions? |
|
I like the new double-submit cookie section as someone that is attempting to learn about this. There are a lot of different approaches for different reasons and more information is certainly appreciated. However, I have a question about the pseudocode. It sets a Wouldn't it be better to only expose the random value in the |
|
I think the signed double-cookie submit is very confusing and would like it to go away, I think its very confusing and not necessary. |
If you care to submit a PR that removed that section, I'd take it! |
That's what I outlined in this PR, and am still waiting for feedback on PR 1149. Collapsibles should help us to make it more straightforward and "stow away" the extensive contexts.
I have not yet had the chance to see any XSS vulnerabilities because of the sessionID knowledge. Nevertheless, I agree. My notes, from which I wrote the new sections from, also don't send the sessionID in the CSRF Cookie, but only, as you point out, the random value. |
|
Hey @advename can you give me a PR for one small thing at a time, maybe on PR for just the removal of signed double submit for start? It's a lot easier for me to process small changes as opposed to big design changes. And when your collapsable is ready to go live let me know! |
|
@jmanico would love to. But i have still not received a reply to my previous questions. |
|
Hey @advename what questions are not answered? I don't have any thoughts on collapsable but am happy to answer questions about content. I don't think we need the signed cookie section at all, I'd rather just keep it simple and explain the basic ideas. If there are pending questions you want me to answer, please ask me again here. I'm sorry to have missed them! |
I was about to open an issue about this, then decided to see if anyone else mentioned it, so here I am. As you mentioned, this way of generating a csrf token leaks the In summary, including the |
|
I also agree the sessionId derived token is a bad idea. Would someone like to remove this and submit a PR? |
Just saw your post now, and I ended up noticing the same thing and created an issue #1493 The implementation of the "signed double submit cookie" is fundamentally flawed. I'm genuinely surprised this was even approved. Do you have anything to say for your broken implementation of csrf protection @advename ? |
|
@c0nd3v - I think we all agreed in this discussion that the session id should go. However, at the time of when I initially discussed this issue, I was waiting for some updates from the maintainers on collapsible sections for improved structure. Since that moved quite slowly and a crunch-time at work happened, I didn't spare much attention to this since then. |
Eh, its your pull request, isn't it? It's been up for a whole year and some more already. You have some responsibility in association with that. I sure hope nobody actually followed what you recommended in the mean time. Sorry to be harsh, but this is embarrassing and hurts the reputation of OWASP as an organization. |
|
No harshness taken! |
|
@c0nd3v feel free to chip in: #1513 |
|
Thank you all! |
|
@mackowski , this issue is not completed. It mainly discussed the session id issue, but the initial topics are still open. |
What is missing or needs to be updated?
My previous PR to fix #1110 reintroduced an overview of the HMAC CSRF Token and added a Naive Double Submit Cookie and Encrypt Cookie sections.
The PR is merged into
main, but there are some improvements left I believe should be addressed.How should this be resolved?
Improvement 1
Uncertain if the pseudocode should be marked with
code. Maybe we should usepythonsince it's close to python syntax, taking advantage of highlighting.Improvement 2
Personally, the new "Signed Double Submit Cookie" section does still not provide full mitigation against CSRF attacks, since it doesn't involve by default the idea of using session-dependent value. I would suggest instead of the header "Signed Double Submit Cookie", to use "Session-dependent Signed Double Submit Cookie", since a "Session-independent Signed Double Submit Cookie" is only a mitigation technique when combined with
Referervalidation to protect against:Actually, the "Double Submit Cookie" & "Signed Double Submit Cookie" pattern without a session-dependent value is only a defense-in-depth (DiD) technique.
Only the following two are true mitigation techniques:
Referervalidation. This is the CSRF mitigation technique of Django, as they have always utilized a signed, session independent, Double Submit Cookie) which by itself withoutReferervalidation is vulnerable to both previously mentioned attacks.I'm uncertain how to include easily the idea of "session-dependent" value without overwhelming the less experienced developers.
Furthermore, the "Naive Double Submit Cookie" is a defense-in-depth technique and should probably be moved into the Defense in Depth Techniques section? This would mean we have to restructure the "Double Submit Cookie" to introduce "Signed Double Submit Cookie" as the default from the beginning.
Improvement 3
There is actually a bug I just noticed in the pseudocode. The
request.setCookie()should actually beresponse.setCookie()since we set the CSRF cookie in the response.The text was updated successfully, but these errors were encountered: