Best IT Recipes

CSRF protection with CORS Origin header vs CSRF token

This question is about protection against attacks such as Cross Site Request Forgery.

This is specifically about: Is protection through the Origin header (CORS) as good as protection through the CSRF token?

Example:

So:

  • If we do not check the Origin header (server side) and not CSRF tokens, we have a CSRF security hole.
  • If we check the CSRF token, we will be safe (but this is a bit tedious).
  • If we check the Origin header, the request from the code code on the evil.com side should be blocked as well as using the CSRF token - in addition, if it is possible somehow to set the evil.com code for the Header header.

I know that this is not possible with XHR (see, for example, Security for sharing resources for different sources), at least not if we trust the W3C specification for proper implementation in all modern browsers (is it possible?)

But what about other types of requests - for example, a form to send? Loading tag script / img / ...? Or any other way a page can use (legally) creating a request? Or maybe some famous JS hacks?

Note: I am not talking about

  • native apps
  • managed browsers
  • errors in cross-site scripting on example.com,
  • ...
+63
javascript security cors csrf
Jul 10 '14 at 15:17
source share
2 answers

to know that this should not be possible with XHR (see, for example, “Security for sharing resources between different sources”), at least not if we trust the W3C specification, which will be correctly implemented in all modern browsers (we can are we?)

At the end of the day, you need to “trust” the client browser to securely store user data and protect the client side of the session. If you do not trust the client’s browser, you should stop using the website at all for anything other than static content. Even with CSRF tokens, you trust the client’s browser to correctly obey a policy of the same origin .

Despite previous browser vulnerabilities, such as those found in IE 5.5 / 6.0 , where attackers could circumvent a policy of the same origin and execute attacks, you can usually expect them to be fixed as soon as they are detected, and with most browsers automatically updated, this risk will be largely mitigated.

But what about other types of requests - for example, a form to send? Loading tag script / img / ...? Or any other way a page can use (legally) creating a request? Or maybe some famous JS hacks?

The Origin header is usually sent only for cross-domain XHR requests. Image requests do not contain a header.

Note: I am not talking about

  • native applications

  • managed browsers

  • Cross-site scripting errors on example.com,

I'm not sure if this falls under manipulated browsers or not, but older versions of Flash allow you to set arbitrary headers that allow an attacker to send a request with a fake referer from the victim machine to carry out the attack.

+27
Jul 11 '14 at 7:40
source share

Web content cannot interfere with the Origin header. In addition, under the same source policy, one origin cannot even send custom headers to another origin. [one]

Thus, checking the Origin header is as good at blocking attacks as using the CSRF token.

The main problem with this is whether it allows the execution of all legitimate requests. The aiser asks about this and asked a question in order to exclude the main cases (without old browsers, only HTTPS).

Browser providers follow these rules, but what about plugins? They cannot, but the question ignores “manipulated browsers”. What about browser errors that allow an attacker to fake an Origin header? There may be errors that allow the CSRF token to seep to its source, so it would take more work to claim that one is better than the other.

+21
Jul 11
source share


More articles:


All Articles