what is the best way to generate a csrf token and verify. From what i have been able to gather, even if you have a hidden form field in a "post" form a hacker can simply get that form using ajax, take the csrf token and send another request to the site to submit the form.
And if we are to check the headers sent to us... then the hacker could simply send the csrf token to a server side script that will then emulate the http headers.
So how does one actually generate and verify csrf tokens?
All token-based CSRF protections can be defeated with XSS, which is what you seem to "have been able to gather". This will be a good read for you: OWASP on CSRF
Related
I am trying to add a layer of security to my POST requests.
I have multiple ruby script that doing Curl Post Request to my rails server. The concern here is having an attacker send a big batch of requests at the same time. Blocking our server and costing us lots of money.
Any suggestion would be much appreciated.
You could use the authenticity token rails automatically generates in its forms as a type of very basic captcha for your CLI scripts. Keep in mind that the point of authenticity tokens is to avoid CSRF attacks not DOS attacks so if you are worried about bots taking up bandwidth this wont help, but if your concern is that only 'authorized' requests get through you could use the tokens. Obviously the best solution for that would be to have full User authentication and authorization for your routes and have a user set up for your scripts and generating a JWT for the user. Once you have the authenticity token or a JWT you can just add them to your POST.
You can read how the authenticity tokens work here http://guides.rubyonrails.org/security.html and add the authenticity_token key to your POST. If your scripts are running in the rails environment creating a session and getting a valid token is easy
app.get '/<some_model>s/new'
token = app.session[:_csrf_token]
then use that token in your post
app.post '/<some_model>s', params: {authenticity_token: token}
In:
http://api.rubyonrails.org/classes/ActionController/RequestForgeryProtection.html
Which determines cross site request forgery validation. The following function:
def non_xhr_javascript_response?
content_type =~ %r(\Atext/javascript) && !request.xhr?
end
Ends up meaning no XHR requests are validated for CSRF even if the token is invalid?
Why is this? Do XHR requests mean that CRSF doesn't need to be validated with Auth Token?
That isn't correct. Rails checks the CSRF token for all non get/head posts, whether they are ajax or not.
In addition, since rails 4.1 Rails also checks for a csrf token for non xhr GET requests with javascript format. This is to prevent information being leaked when accessed in a cross domain request via JSON-P requests. For xhr the browser will have already enforced cross domain restrictions. This is where the method you have found is used: to see if a request needs this extra check.
If you go back far enough in time, rails did use to exempt ajax requests from CSRF checks, because of the aforementioned browser imposed restrictions. However Rails only knows that a request is an ajax request because of the presence of an X-Requested-With header and it was found that this could be forged, so this was removed
I've been implementing a Rails 4 application with an API. I want to be able to call the API from mobile phones and the webapp itself. I came across this note while researching protect_from_forgery:
It's important to remember that XML or JSON requests are also affected and if you're building an API you'll need something like:
class ApplicationController < ActionController::Base
protect_from_forgery
skip_before_action :verify_authenticity_token, if: :json_request?
protected
def json_request?
request.format.json?
end
end
I was thinking of doing this, but I have some reservations/questions:
This solution seems to leave the CSRF hole open because now an attacker could craft a link with an onclick javascript that posts JSON?
Would checking for an API token be a reasonable substitute? i.e., what if instead of skipping the authenticity check, allowing it to fail the check and recover in handle_unverified_request if the api token is present and correct for current user?
Or maybe I should just make the webapp and mobile devices send the CSRF token in the HTTP headers? Is that safe? How would the mobile phone even obtain the CSRF token, given that it isn't rendering HTML forms to begin with?
Edit for clarification:
I am more concerned about the webapp user clicking a crafted CSRF link. The mobile users are authenticated, authorized, an have an API key, so I am not concerned about them. But by enabling CSRF protection for the webapp users, the mobile users are blocked from using the protected API. I want to know the correct strategy for handling this, and I don't believe the Rails documentation gives the right answer.
An attacker could CURL at your controllers all they like, but if your API requires authentication, they wont get anywhere.
Making the API consumers send a CSRF is not really what CSRF does. To do this you'd need to implement a type of knocking mechanism where your client hits an authorization endpoint first to get the code (aka CSRF) and then submit it in the POST. this sucks for mobile clients because it uses their bandwidth, power, and is laggy.
And anyway, is it actually forgery (i.e. the F in CSRF) if its an authorized client hitting your controller after all?
Sending the CSRF token in an HTTP header is indeed a common approach. It ensures that the client has somehow obtained a valid token. For example, a crafted CSRF link will be sent with credential cookies but the header will not include the CSRF token. Your own javascript on the client will have access to domain cookies and will be able to copy the token from a cookie to the header on all XHR requests.
AngularJS follows this approach, as explained here.
As for your first two questions:
This solution seems to leave the CSRF hole open...
Indeed, which is why you should not disable the CSRF token also in your API.
Would checking for an API token be a reasonable substitute? ...
Probably not. Take into consideration the following (from OWASP):
CSRF tokens in GET requests are potentially leaked at several locations: browser history, HTTP log files, network appliances that make a point to log the first line of an HTTP request, and Referer headers if the protected site links to an external site.
General recommendation: Don't try to invent the wheel. OWASP has a page called REST Security Cheat Sheet as well as the one I linked to before. You can follow the Angular approach (copying the token from a cookie to a header on each XHR request) and for regular non-ajax forms, be sure to use only POST and a hidden field as is normally done in CSRF protection of static server forms.
See here: http://guides.rubyonrails.org/security.html
[Rails CSRF protection] will automatically include a security token, calculated from the current session and the server-side secret, in all forms and Ajax requests generated by Rails. You won’t need the secret, if you use CookieStorage as session storage. If the security token doesn’t match what was expected, the session will be reset.
I'm really hoping that someone could explain to my why the server side secret is not needed if I store the entire session in a cookie.
The reason I ask is because I am trying to figure out if there is a way to generate CSRF tokens in a 100% client-side application (ember.js) where I won't have Rails inserting a CSRF token on all forms. I can certainly write to cookies using JavaScript, and I can certainly hash various values.
If there is some way to generate a cookie client-side using JavaScript, without a server-side secret, and being able to verify on the server please let me know!
Did you try googling this?
There is plenty of information on jQuery/ember.js/Rails CSRF out there. jQuery has an $.ajaxPrefilter which you can use to append the CSRF token from your META tags to the request headers (and having said META tags existing on page for a single page app shouldn't be a problem).
This article provides one implemenation that uses this method (the example is in Coffeescript).
$ ->
token = $('meta[name="csrf-token"]').attr('content')
$.ajaxPrefilter (options, originalOptions, xhr) ->
xhr.setRequestHeader('X-CSRF-Token', token)
Here is another implemenation extending the DS.RESTAdapter.
All Rails is doing in a 'normal' application is adding the CSRF token as a hidden input field to your forms. Whether coming this way or as an HTTP request header, it's picked up on by rails just the same.
I think it might be if using CookieSessionStore in Rails, there will be a secret token used to sign cookie. Rails may use that secret token instead to verify
Back in February 2011, Rails was changed to require the CSRF token for all non-GET requests, even those for an API endpoint. I understand the explanation for why this is an important change for browser requests, but that blog post does not offer any advice for how an API should handle the change.
I am not interested in disabling CSRF protection for certain actions.
How are APIs supposed to deal with this change? Is the expectation that an API client makes a GET request to the API to get a CSRF token, then includes that token in every request during that session?
It appears that the token does not change from one POST to another. Is it safe to assume that the token will not change for the duration of the session?
I don't relish the extra error handling when the session expires, but I suppose it is better than having to GET a token before every POST/PUT/DELETE request.
Old question but security is important enough that I feel it deserves a complete answer. As discussed in this question there are still some risk of CSRF even with APIs. Yes browsers are supposed to guard against this by default, but as you don't have complete control of the browser and plugins the user has installed, it's should still be considered a best practice to protect against CSRF in your API.
The way I've seen it done sometimes is to parse the CSRF meta tag from the HTML page itself. I don't really like this though as it doesn't fit well with the way a lot of single page + API apps work today and I feel the CSRF token should be sent in every request regardless of whether it's HTML, JSON or XML.
So I'd suggest instead passing a CSRF token as a cookie or header value via an after filter for all requests. The API can simply re-submit that back as a header value of X-CSRF-Token which Rails already checks.
This is how I did it with AngularJS:
# In my ApplicationController
after_filter :set_csrf_cookie
def set_csrf_cookie
if protect_against_forgery?
cookies['XSRF-TOKEN'] = form_authenticity_token
end
end
AngularJS automatically looks for a cookie named XSRF-TOKEN but feel free to name it anything you want for your purposes. Then when you submit a POST/PUT/DELETE you should to set the header property X-CSRF-Token which Rails automatically looks for.
Unfortunately, AngualrJS already sends back the XSRF-TOKEN cookie in a header value of X-XSRF-TOKEN. It's easy to override Rails' default behaviour to accomodate this in ApplicationController like this:
protected
def verified_request?
super || form_authenticity_token == request.headers['X-XSRF-TOKEN']
end
For Rails 4.2 there is a built in helper now for validating CSRF that should be used.
protected
def verified_request?
super || valid_authenticity_token?(session, request.headers['X-XSRF-TOKEN'])
end
I hope that's helpful.
EDIT: In a discussion on this for a Rails pull-request I submitted it came out that passing the CSRF token through the API for login is a particularly bad practice (e.g., someone could create third-party login for your site that uses user credentials instead of tokens). So cavet emptor. It's up to you to decide how concerned you are about that for your application. In this case you could still use the above approach but only send back the CSRF cookie to a browser that already has an authenticated session and not for every request. This will prevent submitting a valid login without using the CSRF meta tag.
Rails works with the 'secure by default' convention. Cross-Site or Cross-Session Request Forgery requires a user to have a browser and another trusted website. This is not relevant for APIs, since they don't run in the browser and don't maintain any session. Therefore, you should disable CSRF for APIs.
Of course, you should protect your API by requiring HTTP Authentication or a custom implemented API token or OAuth solution.