Best IT Recipes

Where to store JWT in a browser? How to protect against CSRF?

I know cookie based authentication. The SSL and HttpOnly flags can be used to protect cookie authentication from MITM and XSS. However, additional special measures will be required to protect it from CSRF. They are a bit more complicated. ( link )

I recently discovered that JSON Web Token (JWT) is pretty hot as an authentication solution. I know information about encoding, decrypting and checking JWT. However, I do not understand why some websites / manuals do not need CSRF protection if using JWT. I have read quite a bit and will try to summarize the problems below. I just want someone to get a big picture of the JWT and clarify the concepts that I misunderstood about JWT.

  • If the JWT is stored in a cookie, I think it is the same as cookie authentication, except that the server does not need to have sessions to check the cookie / token. There is still a risk for CSRF if a special measure is not applied. Isn't the JWT stored in a cookie?

  • If the JWT is stored in localStorage / sessionStorage, then there are no cookies, so there is no need to protect against CRSF. The question is how to send the JWT to the server. I found here suggesting using jQuery to send JWT over the HTTP header of ajax requests. So only ajax authentications can do authentication?

  • In addition, I found that another blog shows the use of the “authorization header” and “carrier” to send the JWT. I do not understand the method the blog is talking about. Can anyone explain more about the "authorization header" and the "carrier"? Does this mean that the JWT is passed the HTTP header of ALL requests? If so, what about CSRF?

+71
security authentication cookies csrf jwt
Nov 21 '14 at 17:44
source share
2 answers

JWT tones are popular because they are used as the default token format in new authorization and authentication protocols such as OAuth 2.0 and OpenID Connect .

When a token is stored in a cookie, the browser automatically sends it along with each request to the same domain, and this is still vulnerable to CSRF attacks.

Bearer authentication is one of the authentication schemes defined in HTTP. This basically means that YOU insert a token (JWT) in the HTTP request authorization header. The NOT browser will do this automatically, so it is not suitable for protecting your website. Since the browser does not automatically add a header to your request, it is not vulnerable to a CSRF attack, which depends on your authentication information sent automatically to the source domain.

The carrier scheme is often used to protect web APIs (REST services) that are consumed through AJAX calls or from mobile clients.

+34
Nov 23 '14 at 0:24
source share

We need to save the JWT on the client computer. If we store it in LocalStorage / SessionStorage, it can be easily captured using an XSS attack. If we store it in cookies, then the hacker can use it (without reading it) in a CSRF attack and impersonate a user and turn to our API and send requests for actions or receive information on behalf of the user.

But there are several ways to protect JWTs in cookies so that they are not easily stolen (but there are still some advanced methods to steal them). But if you want to rely on LocalStorage / SessionStorage, then it can be accessed with a simple XSS attack.

So, to solve the CSRF problem, I use Double Submit Cookies in my application.

Double cookie method

  • Store the JWT in the HttpOnly cookie and use it in secure mode to transmit over HTTPS.

  • Most CSRF attacks have different origin or referrer headers with the source host in their requests. So check if you have any of them in the header, they come from your domain or not! If you do not reject them. If the request does not have a source and a source of links, then do not worry. You can rely on the result of checking the X-XSRF-TOKEN header, which I will explain in the next step.

  • While the browser will automatically provide your cookies for the request domain, there is one useful limitation: the JavaScript code that runs on the website cannot read the cookies of other websites. We can use this to create our CSRF solution. To prevent CSRF attacks, we need to create an additional Javascript readable cookie called: XSRF-TOKEN. This cookie must be created when the user logs in and must contain an arbitrary string with invalid values. We also store this number in the JWT itself as a special requirement. Every time a JavaScript application wants to make a request, it will need to read this token and send it to the custom HTTP header. Since these operations (reading the cookie, setting the header) can only be performed in the same domain of the JavaScript application, we can know that this is performed by the real user who uses our JavaScript application.

Angular JS makes your life easier

Fortunately, I use Angular JS in our platform, and Angular is an approach to CSRF tokens, which simplifies the implementation. For every request that our Angular application makes on the server, the Angular $http will do this automatically:

  • Locate the cookie named XSRF-TOKEN in the current domain.
  • If this cookie is found, it reads the value and adds it to the request as the X-XSRF-TOKEN header.

Thus, client-side implementation is performed automatically, automatically! We just need to set a cookie called XSRF-TOKEN in the current domain on the server side, and when our API receives any call from the client, it should check the X-XSRF-TOKEN and compare it with XSRF-TOKEN in JWT. If they match, then the user is real. Otherwise, this is a forged request, and you can ignore it. This method is inspired by the Double Submit Cookie method.

Attention!

In reality, you are still XSS prone, it is just that an attacker cannot steal your JWT token for later use, but it can still make requests on behalf of your users using XSS.

Whether you store the JWT in localStorage or you store your XSRF token in a non-HttpOnly cookie, both can be easily captured by XSS. Even your JWT in an HttpOnly cookie can be captured by an extended XSS attack, such as the XST method .

Therefore, in addition to the Double Submit Cookies method, you should always follow the XSS guidelines, including escaping content. This means removing any executable code that causes the browser to do what you do not want. This usually means removing the // <![CDATA[ tags and HTML attributes that cause JavaScript to be evaluated.

More details here:

+55
May 23 '16 at 16:56
source share


More articles:


All Articles