CSURF deprecation about discussions HOT 5 CLOSED

Ultimately someone who fully understands CSRF should make and publish a CSRF module for the community to use. I am not such a persion. It is deprecated because I do not have the time nor experience to correct maintain the module and don't want anyone to use a module that may be unsafe.

The company Snyk has a write up at https://snyk.io/blog/explaining-the-csurf-vulnerability-csrf-attacks-on-all-versions/ if you want to learn more.

from discussions.

@dougwilson

That article is full of lies and missleadings and the guy who wrotted it has zero experience in cyber security. There is nothing wrong with csurf library because it does exactly what is sais it does. Double submit cookie pattern is the OWASP reccomendation (which by the way this guy ommits to highlight while article is full of references to OWASP) and there is nothing wrong with this csrf protection method. Let's analize what this guy sais:

First, it doesn’t use a secure hashing algorithm when creating the random CSRF token for the cookie value. Instead, it uses a deprecated algorithm called SHA1 that is no longer accepted as cryptographically strong due to modern compute capabilities.

Really? The life of an csrf token sent in a cookie with double submit pattern is measured in milliseconds, and is by far the most secure way to ensure that a request is comming from the same place that initiated it! By comparison, in 2FA the so called validation code is often a series of 4 to 8 digits and its life time is measured in minutes! The actual purpose of having a csrf token built with SHA1 is the generation speed, and the use of a more sophisticated alorithm is pure nonsense!

This guy who wrote that article really confuses xss with csrf attacks. Lets take a look to what is an csrf attack. In the example given here, if we have an csrf token cookie from csurf library with default settings in place the attck will never succeed because the cross site cannot send it! Also the guy fails to provide a single example of success for such an attack, he only takes some irrelevant pictures out of context and mixes with some quotes from other sites to give some fake weight to his allegations. I repeat: there is no proof what so ever about csurf library being vulnerable in some way!

What I do see these days are various attacks against csrf protection in favour of 2FA which means... control! Control of the population by sending validation codes via text messages and mean while ... localization! As for my concern I will continue using csurf library with no fear!

Did you know that csrf attacks were #3 on the OWASP top 10 security vulnerabilities few years ago, and after the use of csurf or similar libraries today is not even in the list?

Another thing I noticed on that article is the fact that comments are closed! Of course, would be a lot of angry people! I think you also should keep this discussion open in order to take as many opinnions as possible even if don't change anything, just to see what people sais! I think you acted way to quick to deprecate the library, and this action was an unspeakable success for the author of the article. And I think you should put a link to this discussion in the deprecation message of csurf library to direct people here to epress their opinions.

To be honest, I was very panicked when I saw the depreciation message in the console! Probably the same will be many others and I think they at least deserve to know that there is no risk, the library is safe and can be used. And I think you should put the library back online, because at the end of the day no one can hold you responsible of anything.

from discussions.

Hi @SorinGFS thank you for that, and you are unfortunately preaching to the choir, if you will. I deprecated the module because Snyk blacklisted it and says it is unsafe. I spent a lot of time arguing, but got no where. I just don't have the time and energy to argue with security companies and I'm not a CSRF expect, at least according to these reporters, so my arguments hold no weight.

I would have linked there, but they didn't publish the article until after I deprecated and archives the repo. You cannot make changes to those after the fact, so it is what it is now.

You should direct your arguments to Snyk.

What you are experiencing with the Snyk article is the same thing I have to go through at least once a month for the past 2 years with various researchers. They threaten CVEs, provide no PoC or the PoC makes no sense in the context of what CSRF protects, etc. I can't take it any longer, lol. It's demoralizing, and not what I signed up for my maintaining the module. It's so much it takes too much time away from maintaining other modules that actually have issues and need fixing.

from discussions.

@dougwilson
Same as you I'm a single guy working on several projects on the same time. I either can't fight giants, that why I say to let the community help you. Among those who will participate in the discussion, there may be someone with greater potential.

from discussions.

@dougwilson

sorry, I didn't saw the previous discussion on this subject because this one was stil open, and when you replied I connected from email. I read the discussion and I commented there my opinion.

from discussions.