CSRF Mitigation With Cookie Same-Site

wanted to get some advise in our OAuth process of getting token from 3rd party. Any comment would be appreciated!

  1. User click a short link and rediredirected to original link https://webssite.com/oauth2/authorize?client_id=CLIENTID&scope=SCOPE&callback=CALLBACK_URL
  2. User facing 3rd party login form
  3. After user login successfully, 3rd party redirecting user to our server following the URL we set in the URL
  4. Our server receives the request and set encrypted cookie with Same-Site value Strict and redirect to our authorized page

Is the cookie with same-site value strict is enough to prevent CSRF in this case? (edited)

Do best practices eliminate the need for a CSRF token when writing an API server?

I realize that OWASP recommends CSRF tokens but I rarely see them used with public standalone HTTP APIs. This would seem to indicate that they’re not always necessary.

To make this a little more concrete, I would envision the following scenario:

  • The API server serves a limited number of frontends with an explicit CORS whitelist.

  • HTTP method semantics are followed religiously (no writes in GET).

  • All routes require authentication.

  • All POST routes require a request body[1].

  • All routes that take a request body require a JSON content-type header.

  • Cookies are httpOnly but not sameSite.

Based on my understanding of SOP setting a JSON content-type header on requests should trigger a preflight request which would fail for untrusted origins. If all POST routes require a JSON content-type header, that should then mean they’ll always fail the preflight, leaving only GET requests.

So this would not mitigate CSRF attacks against GET routes but as these can’t be used for exfiltration (as SOP prevents the response from being read) and the GET routes should not cause any data modification, guarding these requests with CSRF tokens would not appear to make a practical difference.

Given how viciously some people defend CSRF tokens, I can’t shake the feeling I’m overlooking an obvious problem here. I realize redundant protections may be valuable in their own right, but what I’m trying to understand is whether in the scenario described the CSRF token would really be redundant or not.


[1]: I realise this might be a practical limitation of this approach as in some real-world APIs there are legitimate POST routes that don’t take a request body or there may be routes that need to take a content-type like form-data that won’t trigger a preflight.

XSS chained with CSRF = Stored XSS?

I have recently heard that XSS + CSRF = stored XSS. I didn’t think too much about it at the time, but now it’s bugging me, because it doesn’t make too much sense.

I would say that it can stand true, if the XSS was “self-stored XSS” for which CSRF is used to get rid of the “self” part.

Other than that, I don’t see any other potential way for the aforementioned equation to be true. Is there another case that I miss?

Custom header to avoid CSRF attacks? header without token

I found that a website protects itself of CSRF attacks by validating the POST request contains a specific header:

-Example-header: GF 

What i find strange is that this header doesn’t have a csrf token in it, it is just a custom header with a 2 letters value that validates the POST request.

When i try to add it in the HXR request it executes as OPTIONS instead of POST and the attack fails. is there any way to bypass this? i find this kind of stupid because why other websites implementing a personal large token in the custom header, if by adding a simple header with a short value the requests preflights???

The html and javascript was made with burp suite professional and it worked, but then adding the special header preflights the request.

Clarification of relationship between CORS and CSRF


To summarize:

  • CSRF is an attack where a page in a different window/tab of the browser sends nonconsensual request to an authenticated web app, that can typically be prevented from server-side by checking the Referer, Origin header of the request or including anti-CSRF token in request header or body.

  • CORS is variously defined in different sources, that might roughly be summarized as: a mechanism that host-of-origin-B indicates to the browser how or whether a host-of-origin-A content should access its resources.

Cross-origin-related attacks and party responsible for defence

  1. Nonconsensual “state-changing” requests: The server.

Be it a treacherous form submission, XHR/fetch request from a “second-origin” page, the server need to recognize and reject them.

  1. Cross-origin data (credential, privacy) leaking: The browser.

Be it a media tag (img, video, audio), XHR/fetch request, the browser must isolate those data from the access of “second-origin” pages.

  1. Q1: anythine else?

Purpose of CORS in cross-origin settings

To let browsers make informed decisions on how:

  1. To make concensual “state-changing” possible cross-origin.

Q2: Is there an real-world example of concensual cross-origin “state-changing” user action?

  1. To allow “creative” ways of collecting and using of digital assets hosted at “second-origin” host(s) by the script.

Misc.

Q3: CORS doesn’t help browser protect users from malicious digital asset hosts determined to steal data from users? But honest origin servers can prevent them from submitting CSRF requests?

Perform CSRF attack when CSRF token is sent in Custom Request header

I have found that the web application uses a weak algorithm to generate CSRF token.The CSRF token is sent in request header

X-CSRF-TOKEN: “token-string”

Since the request header is being used, how to do a CSRF attack to perform a sensitive action in real time?

Custom headers can be sent using JS but it’s blocked due to CORS. I have seen few threads which mention about ActionScript in Flash which can be used to send custom headers. Does that still work? (Considering chrome has stopped using Flash). Is there anyway I can perform the attack?

Preventing CSRF with SameSite=”strict” without degrading user experience?

ASP.NET will soon begin reflecting Google’s decision to default cookies to SameSite="strict" in a defense against CSRF attacks:

Upcoming SameSite Cookie Changes in ASP.NET and ASP.NET Core

This means that if I own foo.com, any logged-in users who are directed to foo.com from off-site will consume the content as if they are not logged in, as the browser will refuse to send the forms authentication headers with the request by default.

This is a poor user experience, and I’m tempted to simply specify SameSite="Lax" to ensure that users are not surprised by this behavior.

Is there any way to have my cake and eat it too, in this scenario?

CSRF protection for API-driven web application

I am currently building a web application (and eventually, a hybrid mobile app too) that will be driven via a RESTful API that I have built. User authentication on the API is handled via JSON web tokens (which are passed in the Bearer header via HTTPS).

However, since authorization != authentication, I was thinking about how to effectively mitigate CSRF attacks on the application. The JWT that is returned by the /auth/login endpoint of the API will be stored in a cookie on the app’s domain, and used for subsequent AJAX requests to the API.

Since we’re using a cookie to store the authentication token, I believe this is open to CSRF, even though all requests to the API from within the app will be made via AJAX (no direct POSTing from forms, etc.)

One solution I have come up with is to generate a CSRF token with each request that is made to the API, and have it returned with the payload. This CSRF would then be stored within the application (Javascript variable) and sent with the next request, where it would be checked and authorized on the API. My question is: Is this sufficient to prevent CSRF attacks across the web and hybrid mobile app? Or is it unnecessary?

My question is similar in part to this one, but has a specific difference.