Comments (10)
It's been a while since I last looked into this so excuse me if I'm slightly out of date :).
As far as I remember, CSRF attacks are when a user submits a request by clicking a link or even visiting a malicious site. Last I checked (but this could have been 2 years ago), being able to submit anything in the header was sufficient to determine that a request is not a CSRF attack, as setting a header requires running a script (and if a script can be run, than we are dealing with XSS, which is a more serious problem but not in scope here).
But of course new attack vectors might have surfaced, and double-submit cookies might no longer be sufficient. I don't have the capacity right now to investigate, so maybe you could share some recommendations on an implementation that would be more secure? And how an attack against the current one can be carried out?
Thanks!
from akka-http-session.
Hi Adam,
Thanks for getting back on this one. The issue was detected during a security test by an external company.
On the OWASP site there are some recommendations on how to mitigate this risk: herehttps://owasp.org/www-community/attacks/csrf
What might be possible is to define a new CsrfCheckMode that ties the SessionManager and CsrfManager together, such that the CsrfManager can reuse the session cookie value to create a secure hash instead of the current SessionUtil.randomString(60)
I might be able to help out by working on a PR but would first like to know if you think this would be valuable addition to the library?
Thanks, Willem
from akka-http-session.
Hi Willem,
per OWASP recommendations using secure hash of session cookie is discouraged. Suggested approach is to either encrypt or to use HMAC of the token as a cookie. For sure it would be valuable addition to the library, so PR is welcome :) Looks like HMAC may be simpler to implement, but any of the solutions recommended by OWASP is fine.
from akka-http-session.
from akka-http-session.
Hi @adamw / @mszczygiel ,
I created a PR with a minimal implementation of the suggested CSRF improvement.
How do I move forward? I have no access rights to the repository to push a PR?
Thanks,
Willem
from akka-http-session.
@willemvermeer great! you should fork the repository to your account, push the branch, then you should be able to open a PR against the original one (this one :) )
from akka-http-session.
Hi @adamw happy new year :-) this is a gentle nudge to take a look at the PR I submitted for this issue - comments are appreciated when you can find some time, thanks!
See: #79
from akka-http-session.
@willemvermeer thanks, taking a look now. Sorry it took so long, but we've been mostly away for Christmas / New Year :)
from akka-http-session.
Thanks @adamw ; I addressed your comments in a followup commit. And no apologies required for taking a Xmas break :-)
from akka-http-session.
@willemvermeer I suppose this can be closed now?
from akka-http-session.
Related Issues (20)
- requireSession breaks CORS HOT 3
- RefreshTokenStorage schedule documentation HOT 5
- Infinite loop in RefreshTokenManager HOT 3
- Question: can Cassandra be used as "session"? HOT 2
- Question Regarding unresolved dependency: com.softwaremill#akka-http-session_2.12;0.5.2: not found HOT 2
- on secret management HOT 1
- Redirect unauthenticated request HOT 1
- Session token compatibility across upgrades HOT 8
- Please support Java 9! HOT 2
- Upgrade to akka-stream 2.5 HOT 2
- RSA signing for JWT HOT 1
- Build for Scala 2.13.0 HOT 1
- JWT: Add support for `iss` and `aud` claims HOT 1
- issue refreshing token HOT 7
- Allow separate access/refresh transport
- CSRF protection can be bypassed with empty header and empty cookie HOT 1
- Upgrade to akka streams 2.6.x HOT 2
- Add SameSite attribute to Cookies HOT 1
- create pekko equivalent? HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from akka-http-session.