-
-
Notifications
You must be signed in to change notification settings - Fork 677
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Clarify CSRF requirement 50.4.1 #2481
Comments
Notes:
|
Yes, "Where cross-origin requests are used, this should always trigger a CORS preflight request first." does not feel right as a consequence. |
So I would clarify to: "[MODIFIED, MOVED FROM 4.2.2, MERGED FROM 13.2.3] Verify that the application defends against Cross-Site Request Forgery (CSRF) attacks to protect authenticated or sensitive public functionality. This should use the development framework's built-in anti-CSRF functionality or CSRF tokens, along with additional defense-in-depth measures such as validating the origin header. Where cross-origin requests are used for this functionality, this should always trigger a CORS preflight request first." Can we think of a situation where a cross-origin request for "authenticated or sensitive public functionality" should not trigger a pre-flight? |
I don't like the requirement nor the proposal. It takes some time to list all the issues. That's why it is assigned to me with status "awaiting proposal". |
So, some ideas to take into account. Problems:
Proposals (to take into account):
v4.0.3 Requirements to cover:
Additionally, v5.0.0 requirements to cover:
|
I agree. I don't like this term very much (and I don't like "XSS" much either for the same kind of reasons). However, this is the accepted wording. It is difficult to depart from it and mint your own wording when the whole community is using this "CSRF". FWIW, I think a better wording would be "cross origin request forgery" but it is not used at all anywhere.
I kind-of like that 😄. I'm wondering if this is clear enough though. There might be other kind of client-side request forgery (for example, client-side cross-protocol confusion attacks, ALPACA). |
Offtopic:
Probably you can find also from here (ASVS repo) in issues discussions how much I don't like the XSS. The XSS even worse than CSRF. CSRF is "half ok", because the "request forgery" part still explains what it is. But XSS is also used in "Same-Origin HTML injection" situation, which means not a single word from cross-site scripting is actually true, and this is insane nonsense. Ontopic:
I think "this is the used term", not that much maybe "the accepted term" anymore. At the end, the term Cross-Site Request Forgery is incorrect and there is no reason to use it. The same with XSS - we have it mentioned only in one requirement in the context of impact. The "Cross-Site" is used also in "XSSI" name.
I would not limit it to cross-origin either. It can be also same-origin - for example, an attacker can use only HTML injection (classical outcome from sanitized HTML, you can still use |
@elarlang I see your point but can you make a concrete wording suggestion please. |
Agreed XSS is not a good term. All three of the words can be wrong.
Many folks use “web UI content injection”, “content injection” or similar as a more accurate term.
|
Addressing proposals from @elarlang :
Cross Site Request Forgery, Session Riding CSRF and XSRF are the common terms and acronyms. If we stray beyond these, can we please cite them along side the new term? Maybe session riding is more accurate than cross site request forgery or request forgery? But overall I do not think this is a big problem. Most of the industry recognizes these legacy terms. The generic term "request forgery" is too generic IMO, it can incorrectly refer to SSRF or Clickjacking.
I like the direction of this. But I think it's more than state changing functionality. I think it's any functionality that would cause damage if the request was forged, regardless of the verb or state changing effect.
I think this is a really good idea to add in. Thumbs up on this one. |
Previously I proposed to use client-side request forgery to be "paired" with SSRF, but one of them is making the request and another is accepting the request:
The "Client" is also vague, and in the situation of SSRF to happen, the vulnerable application itself is a client to make the request. So maybe browser-based request forgery is a more correct or self-explaining term to use. ProposalProposal is provided with different parts to have more precise feedback.
Part 1 - the definition:
Part 2 - the clarification the functionality to defend
Part 3 - safe HTTP methods for data changes (merge 13.6.2)
Part 4 - CORS spotlight (merge 13.2.5)
Part 5 - terminology note Too long to add into the requirement, probably part of the chapter text:
|
We also have a requirement for safe-methods:
The main goal is the same, it is a kind of pre-condition to have a defense against browser-based request forgery attacks and it does not have its own separate risk. The choice here is, to merge everything into one monster requirement, or to have some more specific separate requirements to address separate related and underlying problems, such as using safe methods for state changes or CORS-preflight downgrade to CORS-safelisted. |
So what is the rough wording suggestion please here @elarlang? |
Rough wording is concat(part1, part2, part3, part4, part-x) - written as separate parts to have more precise feedback and finetuning for different parts. Updated proposal in #2481 (comment) |
Regarding,
Maybe we need to focus on state changing or resource intensive functionality. Not sure I know what sensitive functionality means in this that isn't included by one of those other definitions.
Not convinced there is anything else. I would propose the following text: "Verify that requests to state-changing or resource intensive functionality are checked to ensure they originate from the application itself, to defend against browser-based request forgery attacks (commonly known as cross-site request forgery (CSRF)). Additionally, this functionality must not be invoked using safe HTTP methods such as HEAD, OPTIONS, or GET. This precaution will ensure that cross-origin requests to this functionality will trigger a preflight request." Comments on the proposal:
V50.4 Browser Origin SeparationWhen accepting a request on the server side, we need to be sure it is initiated by the application itself and not in some way spoofed by a malicious party. Key security mechanisms here include browser security policies like Same Origin Policy for JavaScript and also SameSite logic for cookies. The most common and well known attack vector is known as cross-site request forgery (CSRF), but note that the definition of site (effective Top Level Domain + 1) makes the term CSRF outdated and incorrect. The scope limitation to cross-site is not valid, as the attack may come from 'same-site but cross-origin' or from 'same-site and same-origin' scope. |
As we included CORS, it may be some other trusted party that uses the API
The proposal lost spotlight for the non-authenticated actions, such as authentication.
If you don't validate the previously/my proposed part 4, you can bypass this new/your proposed part 4. |
I think the following requirement covers parts 1, 2 and 4 above: "Verify that requests to state-changing, security sensitive, or resource intensive functionality includes a mechanism to prevent browser-based request forgery attacks, commonly known as cross-site request forgery (CSRF). Ideally the functionality should only accept content-types which would trigger a CORS preflight and enforce an allow list of 'Origin' headers. Alternatively, another CSRF prevention mechanism may be used." It covers the "write" case here where the "read" case is covered by 50.3.6. I think the following requirement covers part "Verify that requests to state-changing, security sensitive, or resource intensive functionality use appropriate HTTP methods including POST, PATCH, DELETE or PUT." Part 5 will be covered in chapter text but we have a note that we wanted to mention authentication as a specific "write" case there. |
The only thing that tweaks me here is that SOP in terms of CSRF protection only matters for API’s and similar, standard same-site websites do not benefit from SOP for CSRF protection.
The “alternative” defense suggested in the last sentence is not alternative, its fundamental for standard websites and this requirement lends me to believe that SOP and preflight is enough when it often is not for CSRF defense.
|
I would like to add my opinion that I think it is a good opportunity to move away from Cross-Site Request Forgery as a term. That said, our field would not be unique in clinging to incorrect terminology. "Heartburn" for example, has nothing to do with the heart...
I would consider XS Leaks and (See #2409), Spectre-like attacks (also #2409), and attacks like BREACH (#2203) to be relevant to the discussion. Here is a relevant comment from the closing of #2203:
I think therefore it is worth consider these classes of issues when constructing requirements to restrict processing of cross-site or cross-origin requests because there is functionality beyond resource intensive or state changing that could be impacted. Unfortunately, that also complicates the considerations. Thoughts? One more thing I would like to add to the discussion (sorry): Fetch Metadata is now widely supported and provides much more contextual information about the nature of requests (compared to just the Origin header). |
Let's focus for this issue only to handle the related requirements (50.4.1, 13.2.5, 13.6.2). If there are related requirements, let's have the wording first and then we can see, where those fits. I'm aware of On topic: As "the one monster csrf requirement" does not work out, I think we should move away from this direction and keep current separate requirements with finetuned focuses. I'll come back to this with a separate comment/proposal.. |
@elarlang to prepare an updated proposal |
Current text:
We also have:
Points to change:
Potential wording:
[MODIFIED, MOVED FROM 4.2.2, MERGED FROM 13.2.3] Verify that the application defends against Cross-Site Request Forgery (CSRF) attacks to protect authenticated or sensitive public functionality. This should use the development framework's built-in anti-CSRF functionality or CSRF tokens, along with additional defense-in-depth measures such as validating the origin header. Where cross-origin requests are used, this should always trigger a CORS preflight request first.
The text was updated successfully, but these errors were encountered: