Alright, folks! Settle down, settle down! Welcome to my little talk on a topic that’s near and dear to my heart (and probably causing you headaches): CSRF in the age of SameSite and the dark arts of token bypass.
Let’s dive right in.
The Lay of the Land: CSRF, SameSite, and Tokens – A Primer
Before we get to the juicy bits (the bypasses!), let’s quickly recap what we’re dealing with.
-
CSRF (Cross-Site Request Forgery): Imagine someone tricking you into ordering a pizza… a REALLY expensive pizza… without your knowledge. That’s CSRF. An attacker gets you to perform an action on a website where you’re authenticated, without your awareness. This usually involves crafting a malicious request (e.g., in an
<img>tag or hidden form) that your browser dutifully sends along with your cookies. -
SameSite Cookies: This is the browser’s attempt to be a good Samaritan. The
SameSiteattribute on a cookie tells the browser when it should and shouldn’t send that cookie along with cross-site requests.SameSite=Strict: The cookie is only sent with requests originating from the same site. Forget about cross-site requests. Like a bodyguard, it’s not letting anyone through.SameSite=Lax: The cookie is sent with same-site requests and with top-level navigation (GET) requests from other sites. Think of it as a slightly more lenient bodyguard, letting in people who knock politely.SameSite=None: The cookie is sent with all requests, regardless of origin. This requiresSecureto also be set (meaning the cookie must be sent over HTTPS). This bodyguard is basically on vacation.
-
CSRF Tokens: These are unique, unpredictable tokens generated by the server and included in forms or requests. The server verifies that the token in the request matches the token it issued for the user’s session. If they don’t match, the request is rejected. This is intended to prevent attackers from crafting requests because they can’t guess the token. Think of it as a secret handshake.
The Illusion of Security: Why SameSite Isn’t Always Enough
While SameSite is a fantastic defense against CSRF, especially Strict, it’s not a silver bullet. Here’s why we can’t just declare victory and go home:
-
Browser Compatibility: Older browsers might not support
SameSite. While this is becoming less of an issue, it’s still something to consider, especially if you have users on legacy systems. -
SameSite=Laxand the GET Caveat:SameSite=Laxis vulnerable to CSRF attacks that use GET requests for state-changing operations. If your application uses GET requests to, say, transfer money (please don’t!), an attacker can craft a malicious link that triggers the action. -
Subdomain Issues: If your application uses subdomains and doesn’t properly configure cookie domains,
SameSitemight not protect you. -
Misconfiguration: A simple typo or incorrect configuration can render
SameSiteineffective.
Finding the Cracks: Exploiting SameSite Vulnerabilities
Okay, so SameSite isn’t perfect. Let’s look at some specific scenarios where we can find vulnerabilities:
-
GET-Based State Changes with
SameSite=Lax:This is the most straightforward. If you have actions that change the application’s state (e.g., deleting an account, changing settings) and they’re performed using GET requests,
SameSite=Laxwon’t save you.Example:
Let’s say your profile deletion endpoint is:
https://example.com/profile/delete?confirm=trueAn attacker can create a simple link:
<a href="https://example.com/profile/delete?confirm=true">Click here for a free iPhone!</a>If a logged-in user clicks this link, their profile will be deleted.
SameSite=Laxallows this because it’s a top-level navigation (GET) request.Remediation: Never use GET requests for state-changing operations. Always use POST, PUT, or DELETE with proper CSRF protection.
-
Subdomain Shenanigans:
Cookies are, by default, scoped to the domain they’re set on. If you have subdomains (e.g.,
app.example.comandapi.example.com), cookies set onapp.example.comwon’t automatically be available onapi.example.com.If you want cookies to be shared across subdomains, you need to explicitly set the
Domainattribute on the cookie. For example:Set-Cookie: sessionid=12345; Domain=.example.com; Path=/; SameSite=Lax; Secure; HttpOnlyVulnerability: If the
Domainattribute is not set correctly, or if it’s set too broadly (e.g., to just.cominstead of.example.com), it can lead to vulnerabilities. An attacker might be able to set a cookie on a less secure subdomain that’s then used on a more secure subdomain.Example:
app.example.comis the main application, and it sets asessionidcookie withDomain=.example.com; SameSite=Strict.attacker.example.comis a subdomain controlled by the attacker.
If the attacker can somehow manipulate cookies on
attacker.example.com(maybe through a vulnerability there), they might be able to set a cookie with the same name (sessionid) and a higher path (e.g.,/). When the user visitsapp.example.com, the browser might prioritize the attacker’s cookie (depending on browser behavior and cookie attributes), potentially allowing the attacker to hijack the session.Remediation: Carefully configure the
Domainattribute on your cookies. Use the most specific domain possible (e.g.,.example.cominstead of.com). UseSameSite=Strictwhenever possible. -
The
NoneConundrum:SameSite=Nonerequires theSecureattribute, meaning the cookie must be sent over HTTPS. If you’re not using HTTPS everywhere, you’re asking for trouble.Vulnerability: If you accidentally set
SameSite=NonewithoutSecure, the cookie might be sent over HTTP, making it vulnerable to interception.Remediation: Always use HTTPS and set the
Secureattribute when usingSameSite=None. Seriously, there’s no excuse for not using HTTPS in 2023 (and beyond).
Beyond the Basics: Advanced CSRF Token Bypasses
Now, let’s get to the fun part: bypassing CSRF tokens. Keep in mind that these bypasses are highly dependent on the specific implementation of the application.
-
Token Leakage:
The most common bypass is finding a way to leak the CSRF token. This can happen in various ways:
- Referer Header: Some applications incorrectly trust the
Refererheader to validate the origin of the request. The attacker can sometimes manipulate theRefererheader (though this is becoming increasingly difficult due to browser policies) or exploit vulnerabilities in how the server processes it. - Token in the URL: This is a terrible practice, but I’ve seen it. If the CSRF token is included in the URL, it’s easily leaked through browser history, server logs, and potentially through third-party scripts.
- Token in the DOM: If the CSRF token is present in the DOM (e.g., in a meta tag or as a data attribute), an attacker can use JavaScript to extract it.
- Predictable Tokens: If the CSRF token is predictable (e.g., based on the user’s ID or timestamp), an attacker can guess it.
- Reusing Tokens: If the server doesn’t invalidate CSRF tokens after they’re used, an attacker can reuse a token obtained from a previous request.
Example (Token in the DOM):
<meta name="csrf-token" content="[CSRF_TOKEN]">An attacker can use JavaScript to read this token:
const csrfToken = document.querySelector('meta[name="csrf-token"]').getAttribute('content');Then, they can include this token in their malicious request.
Remediation:
- Never trust the
Refererheader. - Never include CSRF tokens in the URL.
- Store CSRF tokens securely on the server-side.
- Generate unpredictable CSRF tokens using a strong random number generator.
- Invalidate CSRF tokens after they’re used.
- Referer Header: Some applications incorrectly trust the
-
Token Bypass due to flawed validation
- Missing Token Validation on Some Endpoints: An application might protect most of its endpoints with CSRF tokens but forget to protect a critical one. This is a classic oversight.
- Incorrect Token Validation: The server might be validating the token incorrectly. For example, it might be comparing the token to a hardcoded value or using a weak comparison algorithm.
- Case Sensitivity Issues: If the server’s token validation is case-sensitive but the token is displayed in a way that allows for case manipulation, an attacker might be able to bypass the validation.
- Whitespace Issues: Similar to case sensitivity, if the server doesn’t properly trim whitespace from the token, an attacker might be able to add extra spaces to bypass the validation.
Example (Missing validation):
Imagine an application has a "change password" endpoint that requires a CSRF token. However, the "change email" endpoint does not check for a token. An attacker can perform a CSRF attack on the "change email" endpoint and potentially gain access to the account.
Remediation:
- Ensure that all state-changing endpoints are protected with CSRF tokens.
- Use a strong comparison algorithm for validating CSRF tokens.
- Normalize the token before validation (e.g., convert to lowercase, trim whitespace).
- Implement comprehensive security testing to identify missing or flawed CSRF protection.
-
Token Synchronization Issues:
In some applications, the CSRF token is stored in both a cookie and a hidden form field. The server validates that the token in the cookie matches the token in the form field.
Vulnerability: If the server doesn’t properly synchronize the tokens, an attacker might be able to exploit a race condition. For example, if the server updates the token in the cookie but not in the form field, the attacker might be able to submit a request with the old token.
Example:
- The user loads a form with a CSRF token (Token A) in a hidden field and a corresponding cookie.
- Before the user submits the form, the application automatically refreshes the CSRF token (e.g., after a certain period of inactivity). The cookie is updated with a new token (Token B), but the form field still contains Token A.
- If the attacker can quickly submit the form with Token A before the server detects the token mismatch, they might be able to bypass the CSRF protection.
Remediation:
- Ensure that the CSRF token is updated atomically in both the cookie and the form field.
- Consider using a single source of truth for the CSRF token (e.g., only in the cookie or only on the server-side).
- Implement mechanisms to detect and prevent race conditions.
-
Token Bypass via Logic flaws
- Referer-Based Validation with Wildcards: Some applications use the
Refererheader for CSRF protection but allow wildcards in the allowed origins. For example, they might allow*.example.com. An attacker can register a subdomain likeattacker.example.comand bypass theReferercheck. - Token Length Mismatch: If the server doesn’t enforce a strict length requirement for the CSRF token, an attacker might be able to submit a request with a token that’s too short or too long.
- Token Encoding Issues: If the server doesn’t properly encode the CSRF token, an attacker might be able to inject malicious characters (e.g., HTML tags, JavaScript code) into the token.
Example (Referer with wildcard):
if (req.headers.referer.startsWith('*.example.com')) { // Allow the request }The attacker registers attacker.example.com, and has complete control over the referer header, allowing them to create valid requests.
Remediation:
- Avoid using the
Refererheader for CSRF protection. - Enforce a strict length requirement for CSRF tokens.
- Properly encode CSRF tokens to prevent injection attacks.
- Referer-Based Validation with Wildcards: Some applications use the
-
Double Submit Cookie Defense Bypass (with flaws):
The Double Submit Cookie defense involves setting a cookie with a random value and including the same value as a hidden field in forms. The server verifies that the cookie value and the form field value match.
Vulnerability:
- Missing Cookie Setting: If the application forgets to set the cookie, the defense is completely broken.
- Cookie Overwriting: If an attacker can overwrite the cookie with a known value (e.g., through a separate vulnerability), they can then craft a malicious request with the same value in the form field.
- Path Issues: If the cookie is set with a specific path, and the attacker can access a different path without the cookie, they can bypass the defense.
- Insecure Cookie Attributes: If the cookie doesn’t have the
HttpOnlyattribute, an attacker can use JavaScript to read and modify the cookie value.
Example
Let’s say an application implements the double submit cookie defense. However, due to a misconfiguration, the cookie is not set with the
HttpOnlyflag. An attacker can use JavaScript to read the value of the CSRF token from the cookie and include it in a malicious request.function getCookie(name) { const value = `; ${document.cookie}`; const parts = value.split(`; ${name}=`); if (parts.length === 2) return parts.pop().split(';').shift(); } const csrfToken = getCookie('csrf_token'); // Now the attacker can use csrfToken in their malicious requestRemediation:
- Always set the cookie with a random, unpredictable value.
- Ensure that the cookie is set correctly on all pages where the defense is used.
- Use the
HttpOnlyattribute to prevent JavaScript from accessing the cookie. - Set the cookie with the
Secureattribute (if using HTTPS). - Validate that the cookie and form field values match exactly.
Mitigation Checklist: A Quick Recap
To make sure you’re not the next victim, here’s a quick checklist:
| Security Measure | Description | Importance |
|---|---|---|
Use SameSite=Strict |
Sets the cookie to only be sent with same-site requests. The strongest protection. | High |
| Use POST, PUT, DELETE | Avoid GET requests for state-changing operations. | High |
| CSRF Tokens | Generate unique, unpredictable tokens and validate them on the server-side. | High |
| Token Storage | Store tokens securely on the server-side. | High |
| Token Invalidation | Invalidate tokens after use. | High |
| HTTPS Everywhere | Use HTTPS for all communication. | High |
| Proper Cookie Configuration | Carefully configure the Domain, Path, Secure, and HttpOnly attributes on your cookies. |
High |
| Input Validation | Validate all user input to prevent injection attacks. | Medium |
| Regular Security Audits | Conduct regular security audits and penetration testing to identify vulnerabilities. | High |
| Security Headers | Use security headers like Content-Security-Policy and X-Frame-Options to further protect your application. |
Medium |
| Keep Up-to-Date | Stay informed about the latest security threats and best practices. | High |
The Takeaway
CSRF protection is a layered approach. SameSite is a great starting point, but it’s not a replacement for CSRF tokens. And even with tokens, you need to be careful about how you implement and validate them.
Think like an attacker. Try to find weaknesses in your own code. Automate your security testing. And never, ever, trust user input.
That’s all, folks! Go forth and build secure applications!