All geek questions in one place

Is it possible to use a (cryptographically strong) session cookie as a CSRF token?

Reading the OWASP CSRF preventative cheat sheet , one of the methods proposed to prevent such attacks is the synchronizer marker template.

If a session token is cryptographically strong, can it double as a csrf token, as described in the following pseudo code?

Client:

<script> dom.replace(placeholder, getCookie("session-cookie")) </script> <form> <input type="hidden" name="csrf-cookie" value="placeholder-value"/> <input type="text" /> </form>

Server:

 if(request.getParameter("csrf-cookie") != user.getSessionCookie()) print "get out you evil hacker"

A cookie is set by loading the page in javascript to prevent accidental leakage of session cookies if they are, for example. send a copy of the page to a friend.

+6
source share
2 answers

Everything that cannot be obtained by an external site can be used as a CSRF token. Therefore, the contents of the session cookie are suitable for this.

+5
source

No , you should not reuse the session token as a CSRF token. The OWASP CSRF cheat provides reasons why it is not advisable to use a session identifier as a CSRF token:

Although this approach is effective in mitigating the risk of falsifying a request for a cross-site site, including authenticated identifiers in HTTP settings, it can increase the overall risk of session hijacking. Architects and developers should ensure that neither network devices, nor code or modules of the user application explicitly register or otherwise disclose the HTTP POST parameters.

and

The inclusion of a session identifier in HTML can also be used with cross-site scripting attacks to bypass HTTPOnly security. Most modern browsers prevent client-side script access to HTTPOnly cookies. However, this protection is lost if HTTPOnly session identifiers are placed in HTML, as the client side of the script can easily move around and retrieve the identifier from the DOM. Developers are still encouraged to implement the synchronizer token template, as described in this article.

Here are some more thoughts on why it might not be a good idea to use a session identifier as a CSRF token. This article mentions sniffing packets on simple http connections and the ability to attack people in the middle as potential risks.

Therefore, it is important that the CSRF token be different, otherwise the CSRF token would be trivially guessed if we assume that the attacker already knows the session identifier! Put it more defensively: it might be nice to play with fire: there is no need to reuse the session identifier as a CSRF token, thereby you open only another attack surface that could potentially be used. No reuse, do not worry about it.

As a result, despite the fact that the session token is cryptographically secure, it must also be independent (also in the probabilistic sense) of the CSRF token, so that all this works in accordance with the above assumptions. That is why any of the implementation examples always creates its token from scratch.

You can use a cryptographically secure random number generator to create a sequence of bytes, hex or Base64-encode to get the string that should be embedded in the page. OWASP recommends a length of 128 bits, where they accept 64 bits of entropy (for example, 8 random bytes converted to a hexadecimal hexadecimal string). The length of this sequence determines the level of security: guessing a 10-byte safe random number (which has 80 bits of entropy) is successful with a probability of 2 ^ (- 80), which should be enough in most applications. So your last token should have a length of 20 bytes, a 10-byte random number converted to hexadecimal encoding.

+6
source

Source: https://habr.com/ru/post/916248/

More articles:


All Articles