Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Clarify CSRF requirement 50.4.1 #2481

Open
tghosth opened this issue Dec 18, 2024 · 21 comments
Open

Clarify CSRF requirement 50.4.1 #2481

tghosth opened this issue Dec 18, 2024 · 21 comments
Assignees
Labels
1) Discussion ongoing Issue is opened and assigned but no clear proposal yet next meeting Filter for leaders V50 Group issues related to Web Frontend _5.0 - prep This needs to be addressed to prepare 5.0

Comments

@tghosth
Copy link
Collaborator

tghosth commented Dec 18, 2024

Current text:

# Description L1 L2 L3 CWE
50.4.1 [MODIFIED, MOVED FROM 4.2.2, MERGED FROM 13.2.3] Verify that the application defends against Cross-Site Request Forgery (CSRF) attacks to protect authenticated or sensitive public functionality, using the development framework's built-in anti-CSRF functionality or CSRF tokens, along with additional defense-in-depth measures. 352

We also have:

# Description L1 L2 L3 CWE
50.4.3 [ADDED, SPLIT FROM 14.5.3] Verify that the Origin header field is validated against a defined list of allowed origins to match the desired Cross-Origin Resource Sharing (CORS) policy. 346

Points to change:

Potential wording:

[MODIFIED, MOVED FROM 4.2.2, MERGED FROM 13.2.3] Verify that the application defends against Cross-Site Request Forgery (CSRF) attacks to protect authenticated or sensitive public functionality. This should use the development framework's built-in anti-CSRF functionality or CSRF tokens, along with additional defense-in-depth measures such as validating the origin header. Where cross-origin requests are used, this should always trigger a CORS preflight request first.

@tghosth tghosth added 4) proposal for review Issue contains clear proposal for add/change something _5.0 - prep This needs to be addressed to prepare 5.0 V50 Group issues related to Web Frontend labels Dec 18, 2024
@elarlang elarlang added 3) awaiting proposal There is some discussion in issue and reach to some results but it's not concluded with clear propos and removed 4) proposal for review Issue contains clear proposal for add/change something labels Dec 18, 2024
@elarlang elarlang self-assigned this Dec 18, 2024
@jmanico
Copy link
Member

jmanico commented Dec 19, 2024

[MODIFIED, MOVED FROM 4.2.2, MERGED FROM 13.2.3] Verify that the application defends against Cross-Site Request Forgery (CSRF) attacks to protect authenticated or sensitive public functionality. This should use the development framework's built-in anti-CSRF functionality or CSRF tokens, along with additional defense-in-depth measures such as validating the origin header. Where cross-origin requests are used, this should always trigger a CORS preflight request first.

Notes:

  • Simple cross-origin javscript based requests (XHR, fetch) do not trigger pre-flight.
  • Cross origin requests from non-JavaScript sources (like HTML forms) do not trigger pre-flight or SOP.

@randomstuff
Copy link
Contributor

Yes, "Where cross-origin requests are used, this should always trigger a CORS preflight request first." does not feel right as a consequence.

@tghosth
Copy link
Collaborator Author

tghosth commented Dec 22, 2024

So I would clarify to:

"[MODIFIED, MOVED FROM 4.2.2, MERGED FROM 13.2.3] Verify that the application defends against Cross-Site Request Forgery (CSRF) attacks to protect authenticated or sensitive public functionality. This should use the development framework's built-in anti-CSRF functionality or CSRF tokens, along with additional defense-in-depth measures such as validating the origin header. Where cross-origin requests are used for this functionality, this should always trigger a CORS preflight request first."

Can we think of a situation where a cross-origin request for "authenticated or sensitive public functionality" should not trigger a pre-flight?

@elarlang
Copy link
Collaborator

I don't like the requirement nor the proposal. It takes some time to list all the issues. That's why it is assigned to me with status "awaiting proposal".

@elarlang
Copy link
Collaborator

elarlang commented Dec 22, 2024

So, some ideas to take into account.

Problems:

  • The terminology (CSRF) is outdated
    • I think at the time Cross-Site Request Forgery was invented, the term Site was not defined
      • The Site is effective top level domain + 1 (need to take into account the public suffix)
    • Nowadays the term Cross-Site is most of the time used incorrectly
      • Mostly the request forgery happens from the Same-Site scope due to he cookie SameSite attribute setup, but it is called Cross-Site Request Forgery
      • If the request forgery happens due to CORS misconfiguration, the actual problem is Cross-Origin Request Forgery, because the boundary for CORS is Origin (not Site)
  • Safe HTTP methods vs state changes - request forgery, or also "use HTTP safe methods" are often limited to "state changing" functionality, but also in the scope should be
    • Resource-demanding functionality, such as data export, serving a large file
    • Authentication form
    • Filling any form, such as commenting anything (hate speech into public site can cause some issues)
  • Addressed functionality: we need to take into account
    • authenticated and not authenticated functionality
    • state handling with cookies
    • state handling with Authorization header (adding it with JavaScript)
    • state handling with Authorization header (adding by the browser automatically - basic auth, NTLM, etc)

Proposals (to take into account):

  • Terminology - we call it abstractly "request forgery"
    • or if to work hand-in-hand with Server-Side Request Forgery then it can also be called Client-Side Request Forgery (ironically, the acronym is CSRF)
  • Define the goal to achieve: for executing state-changing or resource demanding functionality (we may ask documentation requirement for that), application must be sure the request was initiated by the application itself or by a trusted party.
  • Special highlight for "downgrading" CORS-preflight request to CORS-safelisted request - need to check Origin and Content-Type request headers.

v4.0.3 Requirements to cover:

  • V4.2.2 Verify that the application or framework enforces a strong anti-CSRF mechanism to protect authenticated functionality, and effective anti-automation or anti-CSRF protects unauthenticated functionality.
  • V13.2.3 Verify that RESTful web services that utilize cookies are protected from Cross-Site Request Forgery via the use of at least one or more of the following: double submit cookie pattern, CSRF nonces, or Origin request header checks.
  • V13.2.5 Verify that REST services explicitly check the incoming Content-Type to be the expected one, such as application/xml or application/json.

Additionally, v5.0.0 requirements to cover:

  • V50.4.1 [MODIFIED, MOVED FROM 4.2.2, MERGED FROM 13.2.3] Verify that the application defends against Cross-Site Request Forgery (CSRF) attacks to protect authenticated or sensitive public functionality, using the development framework's built-in anti-CSRF functionality or CSRF tokens, along with additional defense-in-depth measures.
  • V50.4.3 [ADDED, SPLIT FROM 14.5.3] Verify that the Origin header field is validated against a defined list of allowed origins to match the desired Cross-Origin Resource Sharing (CORS) policy.
  • V13.2.5 Verify that REST services explicitly check the incoming Content-Type to be the expected one, such as application/xml or application/json.

@elarlang elarlang added 1) Discussion ongoing Issue is opened and assigned but no clear proposal yet and removed 3) awaiting proposal There is some discussion in issue and reach to some results but it's not concluded with clear propos labels Dec 22, 2024
@randomstuff
Copy link
Contributor

The terminology (CSRF) is outdated

I agree. I don't like this term very much (and I don't like "XSS" much either for the same kind of reasons). However, this is the accepted wording. It is difficult to depart from it and mint your own wording when the whole community is using this "CSRF".

FWIW, I think a better wording would be "cross origin request forgery" but it is not used at all anywhere.

then it can also be called Client-Side Request Forgery

I kind-of like that 😄.

I'm wondering if this is clear enough though. There might be other kind of client-side request forgery (for example, client-side cross-protocol confusion attacks, ALPACA).

@elarlang
Copy link
Collaborator

elarlang commented Dec 23, 2024

Offtopic:

and I don't like "XSS" much either for the same kind of reasons

Probably you can find also from here (ASVS repo) in issues discussions how much I don't like the XSS. The XSS even worse than CSRF. CSRF is "half ok", because the "request forgery" part still explains what it is. But XSS is also used in "Same-Origin HTML injection" situation, which means not a single word from cross-site scripting is actually true, and this is insane nonsense.


Ontopic:

However, this is the accepted wording. It is difficult to depart from it and mint your own wording when the whole community is using this "CSRF".

I think "this is the used term", not that much maybe "the accepted term" anymore. At the end, the term Cross-Site Request Forgery is incorrect and there is no reason to use it. The same with XSS - we have it mentioned only in one requirement in the context of impact. The "Cross-Site" is used also in "XSSI" name.

FWIW, I think a better wording would be "cross origin request forgery" but it is not used at all anywhere.

I would not limit it to cross-origin either. It can be also same-origin - for example, an attacker can use only HTML injection (classical outcome from sanitized HTML, you can still use <img src="/local/path">), but with that can trigger all functionality (if cookies are used for state handling) using GET method - for example calling resource demanding export, call logout etc.

@tghosth
Copy link
Collaborator Author

tghosth commented Dec 23, 2024

@elarlang I see your point but can you make a concrete wording suggestion please.

@jmanico
Copy link
Member

jmanico commented Dec 26, 2024 via email

@jmanico
Copy link
Member

jmanico commented Jan 1, 2025

Addressing proposals from @elarlang :

  1. Terminology - we call it abstractly "request forgery"

Cross Site Request Forgery, Session Riding CSRF and XSRF are the common terms and acronyms. If we stray beyond these, can we please cite them along side the new term? Maybe session riding is more accurate than cross site request forgery or request forgery? But overall I do not think this is a big problem. Most of the industry recognizes these legacy terms. The generic term "request forgery" is too generic IMO, it can incorrectly refer to SSRF or Clickjacking.

  1. Define the goal to achieve: for executing state-changing or resource demanding functionality (we may ask documentation requirement for that), application must be sure the request was initiated by the application itself or by a trusted party.

I like the direction of this. But I think it's more than state changing functionality. I think it's any functionality that would cause damage if the request was forged, regardless of the verb or state changing effect.

  1. Special highlight for "downgrading" CORS-preflight request to CORS-safelisted request - need to check Origin and Content-Type request headers.

I think this is a really good idea to add in. Thumbs up on this one.

@elarlang
Copy link
Collaborator

elarlang commented Jan 2, 2025

Previously I proposed to use client-side request forgery to be "paired" with SSRF, but one of them is making the request and another is accepting the request:

  • SSRF - The defense against SSRF is to not allow the application server-side component to make the request to the location based on untrusted input
  • CSRF - The defense against CSRF is to not allow the application server-side component to accept a request from an untrusted party

The "Client" is also vague, and in the situation of SSRF to happen, the vulnerable application itself is a client to make the request. So maybe browser-based request forgery is a more correct or self-explaining term to use.

Proposal

Proposal is provided with different parts to have more precise feedback.

  • the term "sensitive functionality" - there should be something better, as it may get mixed or confusion with data classification.
  • part 2 - what else must be listed to "to be protected against "csrf" list?

Part 1 - the definition:

Verify that the application validates the request to call out state-changing or sensitive functionality originating from the functionality provided by the application itself or by a trusted party, to defend against browser-based request forgery attacks (previously known as cross-site request forgery (CSRF)).


Part 2 - the clarification the functionality to defend

Sensitive functionality includes accepting form posts for authenticated and non-authenticated users (such as authentication), calling out resource-demanding functionality (such as data export), and (todo: what else to list here?)


Part 3 - safe HTTP methods for data changes (merge 13.6.2)

Sensitive functionality must not be executed using safe HTTP methods such as HEAD, OPTIONS, or GET (e.g. using navigation request).


Part 4 - CORS spotlight (merge 13.2.5)

For requests that expect to trigger a CORS-preflight request, request header fields such as 'Origin' and 'Content-Type' must be validated to ensure that it is not possible to call the functionality with CORS-safelisted request.


Part 5 - terminology note

Too long to add into the requirement, probably part of the chapter text:

Note that the attack vector is known as cross-site request forgery (CSRF), but the definition of site (effective Top Level Domain + 1) makes the term CSRF outdated and incorrect. The scope limitation to cross-site is not valid, as the attack may come from 'same-site but cross-origin' or from 'same-site and same-origin' scope.

@elarlang
Copy link
Collaborator

elarlang commented Jan 2, 2025

We also have a requirement for safe-methods:

V13.6.2 [MODIFIED, MOVED FROM 13.2.1] Verify that HTTP requests using the HEAD, OPTIONS, TRACE or GET verb do not modify any backend data structure or perform any state-changing actions. These requests are safe methods and should therefore not have any side effects.

The main goal is the same, it is a kind of pre-condition to have a defense against browser-based request forgery attacks and it does not have its own separate risk.

The choice here is, to merge everything into one monster requirement, or to have some more specific separate requirements to address separate related and underlying problems, such as using safe methods for state changes or CORS-preflight downgrade to CORS-safelisted.

@tghosth
Copy link
Collaborator Author

tghosth commented Jan 2, 2025

So what is the rough wording suggestion please here @elarlang?

@elarlang
Copy link
Collaborator

elarlang commented Jan 2, 2025

So what is the rough wording suggestion please here @elarlang?

Rough wording is concat(part1, part2, part3, part4, part-x) - written as separate parts to have more precise feedback and finetuning for different parts.

Updated proposal in #2481 (comment)

@tghosth
Copy link
Collaborator Author

tghosth commented Jan 5, 2025

Regarding,

the term "sensitive functionality" - there should be something better, as it may get mixed or confusion with data classification.

Maybe we need to focus on state changing or resource intensive functionality. Not sure I know what sensitive functionality means in this that isn't included by one of those other definitions.

part 2 - what else must be listed to "to be protected against "csrf" list?

Not convinced there is anything else.

I would propose the following text:

"Verify that requests to state-changing or resource intensive functionality are checked to ensure they originate from the application itself, to defend against browser-based request forgery attacks (commonly known as cross-site request forgery (CSRF)). Additionally, this functionality must not be invoked using safe HTTP methods such as HEAD, OPTIONS, or GET. This precaution will ensure that cross-origin requests to this functionality will trigger a preflight request."

Comments on the proposal:

  • In this use case, the "trusted party" is considered part of the application.
  • Part 2 - the clarification the functionality to defend - I think this part is now redundant with the updated wording.
  • (e.g. from a navigation request) - I think this is redundant or should be moved to the section text.
  • Part 4 - CORS spotlight (merge 13.2.5) - Based on what it says at this link, we are enforcing preflights through our HTTP verb requirement.
  • Part 5 - terminology note - I have included a proposal below to rework the section text.
    Section text:

V50.4 Browser Origin Separation

When accepting a request on the server side, we need to be sure it is initiated by the application itself and not in some way spoofed by a malicious party. Key security mechanisms here include browser security policies like Same Origin Policy for JavaScript and also SameSite logic for cookies.

The most common and well known attack vector is known as cross-site request forgery (CSRF), but note that the definition of site (effective Top Level Domain + 1) makes the term CSRF outdated and incorrect. The scope limitation to cross-site is not valid, as the attack may come from 'same-site but cross-origin' or from 'same-site and same-origin' scope.

@elarlang
Copy link
Collaborator

elarlang commented Jan 5, 2025

In this use case, the "trusted party" is considered part of the application.

As we included CORS, it may be some other trusted party that uses the API

Part 2 - the clarification the functionality to defend - I think this part is now redundant with the updated wording.

The proposal lost spotlight for the non-authenticated actions, such as authentication.

Part 4 - CORS spotlight (merge 13.2.5) - Based on what it says at this link, we are enforcing preflights through our HTTP verb requirement.

If you don't validate the previously/my proposed part 4, you can bypass this new/your proposed part 4.

@elarlang elarlang added the next meeting Filter for leaders label Jan 5, 2025
@tghosth
Copy link
Collaborator Author

tghosth commented Jan 9, 2025

I think the following requirement covers parts 1, 2 and 4 above:

"Verify that requests to state-changing, security sensitive, or resource intensive functionality includes a mechanism to prevent browser-based request forgery attacks, commonly known as cross-site request forgery (CSRF). Ideally the functionality should only accept content-types which would trigger a CORS preflight and enforce an allow list of 'Origin' headers. Alternatively, another CSRF prevention mechanism may be used."

It covers the "write" case here where the "read" case is covered by 50.3.6.

I think the following requirement covers part s 1, 2 and 4 3 above:

"Verify that requests to state-changing, security sensitive, or resource intensive functionality use appropriate HTTP methods including POST, PATCH, DELETE or PUT."

Part 5 will be covered in chapter text but we have a note that we wanted to mention authentication as a specific "write" case there.

@jmanico
Copy link
Member

jmanico commented Jan 9, 2025 via email

@ryarmst
Copy link
Collaborator

ryarmst commented Jan 10, 2025

I would like to add my opinion that I think it is a good opportunity to move away from Cross-Site Request Forgery as a term. That said, our field would not be unique in clinging to incorrect terminology. "Heartburn" for example, has nothing to do with the heart...

Maybe we need to focus on state changing or resource intensive functionality. Not sure I know what sensitive functionality means in this that isn't included by one of those other definitions.

I would consider XS Leaks and (See #2409), Spectre-like attacks (also #2409), and attacks like BREACH (#2203) to be relevant to the discussion. Here is a relevant comment from the closing of #2203:

We also think that other cross origin and anti-automation controls would hopefully help mitigate this.

I think therefore it is worth consider these classes of issues when constructing requirements to restrict processing of cross-site or cross-origin requests because there is functionality beyond resource intensive or state changing that could be impacted. Unfortunately, that also complicates the considerations. Thoughts?

One more thing I would like to add to the discussion (sorry): Fetch Metadata is now widely supported and provides much more contextual information about the nature of requests (compared to just the Origin header).

@elarlang
Copy link
Collaborator

Let's focus for this issue only to handle the related requirements (50.4.1, 13.2.5, 13.6.2).

If there are related requirements, let's have the wording first and then we can see, where those fits.

I'm aware of Sec-Fetch-* header fields, those are in use also in requirement 50.6.1. I feel it is more #2049 area to discuss.


On topic: As "the one monster csrf requirement" does not work out, I think we should move away from this direction and keep current separate requirements with finetuned focuses. I'll come back to this with a separate comment/proposal..

@tghosth
Copy link
Collaborator Author

tghosth commented Jan 16, 2025

@elarlang to prepare an updated proposal

@tghosth tghosth closed this as completed Jan 16, 2025
@tghosth tghosth reopened this Jan 16, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
1) Discussion ongoing Issue is opened and assigned but no clear proposal yet next meeting Filter for leaders V50 Group issues related to Web Frontend _5.0 - prep This needs to be addressed to prepare 5.0
Projects
None yet
Development

No branches or pull requests

5 participants