[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: proposal: xsrf protection for restful web services

Subject: Re: proposal: xsrf protection for restful web services
From: John Locke <..hidden..>
Date: Fri, 21 Feb 2014 08:21:20 -0800

Hi, Chris,

On 02/20/2014 11:24 PM, Chris Travers wrote:

Right now, the current 1.4 web services don't provide a great deal ofstrong protection against xsrf. The current approach is not reallysafe enough, and so right now, unless we find a way to fix this, we'dneed to recommend opening up that section of urls only to trustedhosts (i.e. servers). While this seems like a big limitation, if yourestrict by client-side certificate you could allow access fromdedicated non-browser mobile clients but not web browsers.
There is another option though, in that we could allow for some sortof digital signing of a component of a request. Unfortunately, this isgoing to require going with perl modules (which don't have a perfectcpantester record) or pgcrypto as an extension. However, you couldhave a public key, and you could check the signature of a specific setof information.
A third option would be a pre-shared auth key that would be submittedwith every request, and tied to the user. The positive side is thatit would be simple. The negative side is that the tokens would belong-term valuable and if compromised would provide a means to exploitxsrf via the browser if the user accounts are shared.
For now (1.4) I think recommending client-side certs would provide themost protection, but while this provides good protection for dedicatedclients it means effectively locking browsers out of the restful webservices.
Our current csrf protections for the web app, while better on thebrowser than any others that could be implemented there with RESTfulprinciples, is certainly not RESTful, as it requires effectivelypre-authorizing every write request (i.e. get the authorization tokenthen add it to the post request). This requires a double-round tripto make a write effective.
Anyway, feedback is requested.


This is an area I was overdue for investigating ;-)

I found a bunch of useful links on preventing CSRF on REST APIs, andbased on that, I think we should handle this a couple different ways.

First of all, if we're going to move more application management to thebrowser (for example, build an invoice with Javascript and post theresult as JSON into the back end when done, which is a pattern Erik andI were discussing yesterday) we want to support having browsers use theRESTful web services. And of course, what use is an API if you can't useit from another service? So yes, we want something relatively simple toimplement for both cases. A client-side certificate seems like a lot ofextra work when writing a client, and not a common pattern.

So we need to cover two cases when authenticating a request: a requestfrom a user logged into the web site, and a request from anywhere else.

We already use a session identifier for the web site, so we can detectif a user has recently logged in. To cover this case, I am thinking the"double-submit" pattern described here would be sufficient:http://appsandsecurity.blogspot.com/2012/01/stateless-csrf-protection.html(and make sure we don't require that for GET requests). That is, theclient sends the same value in a Cookie as well as in the data of aPOST, PUT, or DELETE request. That does not even need to be generatedserver side to prevent CSRF -- the server should just verify that forauthenticated sessions, these values match.

For API calls that do not involve a session, we already requireauthentication. I think it's reasonable, if we require a session forauthentication, for a web service client to either do a double-submit ora "synchronizer token" (which I think describes our current anti-CSRFprotection) -- the client can route all requests through a centralbroker to apply the next token to the data before submitting.


Here's what I found useful:

http://appsandsecurity.blogspot.com/2012/01/stateless-csrf-protection.html
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet
https://www.owasp.org/index.php/REST_Security_Cheat_Sheet
http://security.stackexchange.com/questions/20187/oauth2-cross-site-request-forgery-and-state-parameter

The key thing for CSRF attacks is the attacker does not have access tothe credentials themselves, or any cookie values. If we can detect allrequests coming from our app and double-check against state that cannotbe accessed from a different site, we block a CSRF attack. For any otherAPI consumer, the app already needs to supply authentication.


Cheers,
John Locke
http://www.freelock.com


Cheers,
John Locke

References:
- proposal: xsrf protection for restful web services
  - From: Chris Travers

Prev by Date: proposal: xsrf protection for restful web services
Next by Date: Re: 1.3: Taxes, sub cent invoice amounts and non sub-cent payments
Previous by thread: proposal: xsrf protection for restful web services
Next by thread: bugs #1073 - emails did not pull in order/offer forms
Index(es):
- Date
- Thread