Comments (5)
Ultimately someone who fully understands CSRF should make and publish a CSRF module for the community to use. I am not such a persion. It is deprecated because I do not have the time nor experience to correct maintain the module and don't want anyone to use a module that may be unsafe.
The company Snyk has a write up at https://snyk.io/blog/explaining-the-csurf-vulnerability-csrf-attacks-on-all-versions/ if you want to learn more.
from discussions.
That article is full of lies and missleadings and the guy who wrotted it has zero experience in cyber security. There is nothing wrong with csurf
library because it does exactly what is sais it does. Double submit cookie pattern is the OWASP reccomendation (which by the way this guy ommits to highlight while article is full of references to OWASP) and there is nothing wrong with this csrf protection
method. Let's analize what this guy sais:
First, it doesnโt use a secure hashing algorithm when creating the random CSRF token for the cookie value. Instead, it uses a deprecated algorithm called SHA1 that is no longer accepted as cryptographically strong due to modern compute capabilities.
Really? The life of an csrf token
sent in a cookie with double submit pattern is measured in milliseconds, and is by far the most secure way to ensure that a request is comming from the same place that initiated it! By comparison, in 2FA
the so called validation code
is often a series of 4 to 8 digits and its life time is measured in minutes! The actual purpose of having a csrf token
built with SHA1
is the generation speed, and the use of a more sophisticated alorithm is pure nonsense!
This guy who wrote that article really confuses xss
with csrf
attacks. Lets take a look to what is an csrf attack. In the example given here, if we have an csrf token
cookie from csurf
library with default settings in place the attck will never succeed because the cross site cannot send it! Also the guy fails to provide a single example of success for such an attack, he only takes some irrelevant pictures out of context and mixes with some quotes from other sites to give some fake weight to his allegations. I repeat: there is no proof what so ever about csurf
library being vulnerable in some way!
What I do see these days are various attacks against csrf protection
in favour of 2FA
which means... control! Control of the population by sending validation codes
via text messages and mean while ... localization! As for my concern I will continue using csurf
library with no fear!
Did you know that csrf
attacks were #3
on the OWASP top 10 security vulnerabilities few years ago, and after the use of csurf
or similar libraries today is not even in the list?
Another thing I noticed on that article is the fact that comments are closed! Of course, would be a lot of angry people! I think you also should keep this discussion open in order to take as many opinnions as possible even if don't change anything, just to see what people sais! I think you acted way to quick to deprecate the library, and this action was an unspeakable success for the author of the article. And I think you should put a link to this discussion in the deprecation message of csurf
library to direct people here to epress their opinions.
To be honest, I was very panicked when I saw the depreciation message in the console! Probably the same will be many others and I think they at least deserve to know that there is no risk, the library is safe and can be used. And I think you should put the library back online, because at the end of the day no one can hold you responsible of anything.
from discussions.
Hi @SorinGFS thank you for that, and you are unfortunately preaching to the choir, if you will. I deprecated the module because Snyk blacklisted it and says it is unsafe. I spent a lot of time arguing, but got no where. I just don't have the time and energy to argue with security companies and I'm not a CSRF expect, at least according to these reporters, so my arguments hold no weight.
I would have linked there, but they didn't publish the article until after I deprecated and archives the repo. You cannot make changes to those after the fact, so it is what it is now.
You should direct your arguments to Snyk.
What you are experiencing with the Snyk article is the same thing I have to go through at least once a month for the past 2 years with various researchers. They threaten CVEs, provide no PoC or the PoC makes no sense in the context of what CSRF protects, etc. I can't take it any longer, lol. It's demoralizing, and not what I signed up for my maintaining the module. It's so much it takes too much time away from maintaining other modules that actually have issues and need fixing.
from discussions.
@dougwilson
Same as you I'm a single guy working on several projects on the same time. I either can't fight giants, that why I say to let the community help you. Among those who will participate in the discussion, there may be someone with greater potential.
from discussions.
sorry, I didn't saw the previous discussion on this subject because this one was stil open, and when you replied I connected from email. I read the discussion and I commented there my opinion.
from discussions.
Related Issues (20)
- Express TC Meeting 05-06-2020 HOT 6
- Triage Meeting 05-07-2020 HOT 22
- v5 Changes Working Doc HOT 3
- Triage Meeting 05-21-2020 HOT 8
- Express TC Meeting 05-20-2020 HOT 13
- Using GitHub discussions HOT 5
- Express TC Meeting 06-10-2020 HOT 3
- Realtime communication channel HOT 11
- nomination for express committer HOT 3
- Create teams for committer management HOT 13
- Delete jshttp/compress repo HOT 1
- Clean up expressjs org HOT 21
- Express TC Meeting 07-08-2020 HOT 4
- express example programs in Node.js example HOT 1
- How to set error.name in extended class Error in Node.js? HOT 1
- Express Security Bugs reports HOT 7
- Use Github Discussions instead of a dedicated repository HOT 1
- Cross-site Request Forgery (CSRF) found in csurf package HOT 36
- Is this discussions board still active or dead? HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from discussions.