Re: [OAUTH-WG] Web apps BCP feedback
Philippe De Ryck <philippe@pragmaticwebsecurity.com> Sun, 26 September 2021 06:30 UTC
Return-Path: <philippe@pragmaticwebsecurity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A3DFC3A102B for <oauth@ietfa.amsl.com>; Sat, 25 Sep 2021 23:30:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pragmaticwebsecurity.com header.b=jJ32GE5d; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=EK7/fV+N
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 86MoyVvRYnCn for <oauth@ietfa.amsl.com>; Sat, 25 Sep 2021 23:30:25 -0700 (PDT)
Received: from out3-smtp.messagingengine.com (out3-smtp.messagingengine.com [66.111.4.27]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C28173A102E for <oauth@ietf.org>; Sat, 25 Sep 2021 23:30:24 -0700 (PDT)
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id 9015D5C00C1; Sun, 26 Sep 2021 02:30:20 -0400 (EDT)
Received: from mailfrontend2 ([10.202.2.163]) by compute4.internal (MEProxy); Sun, 26 Sep 2021 02:30:20 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= pragmaticwebsecurity.com; h=from:message-id:content-type :mime-version:subject:date:in-reply-to:cc:to:references; s=fm2; bh=P0b6mfu2iNpMBJw5ef9nxbMmrz+5pMZ8lohM/A/KTag=; b=jJ32GE5dYoSR 3q9i+kurwOxgehkJibk2WuV0hL2Yr4nAgkYg4WtpEXKH1xx3ztU1ghaeT+q7PJlA 2NgijaF2ULXbtx8qOp3q31fcyoCgaydF/Cmk/dDYiacqpM4M6mELVD4ZfWMpiraE V4OPlZREhJiruQ1WxP12SPSaLFf8g7GQB9hRP+MNLMTx45rlg8f8ATo79C2OqNYc N+RcNiYEYi+mh8oKWx9g9nJOdf0Ecr2cejd37HT6+z1BTwCzylhMnNzdm1TWqyf0 aXlKqg5wW7hmBN83imrfAOJGUyfAzhUGLyZ61MTz/ga1CnSs8NznNn6KVdn831kG aBx6DxOyFg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; bh=P0b6mf u2iNpMBJw5ef9nxbMmrz+5pMZ8lohM/A/KTag=; b=EK7/fV+NLs/oaXeQfmlXuG MYP6BTNiHZ8iyObu6VLv/ZmlgF0WSxih9wqLWh5tFLjf++t2uLn82m0NfU6PbIQW pxSnA0TuVSqQ++AEJ4ecYR8eoTknHRPRfyimOx+7aluKVEjzAlY3XG3iTnOPg/3m O6uuGcXGgPIf6sY4YmAQEEKKBP54F/hNXqGCToms2u/WWPIlqiVk7AGPlhd27Quz qXqA38dj6Uswoq+xrEGe17CrqhlOn5gytGKVlTVzgOHwU8e3rTAqJH7kTjYdGcMa 0A2xn50TiryEyMXL4mGSw/jdCXV2Lq54vY1KgKCkD72BeY6Wj2qCzvT2PxAO2dLA ==
X-ME-Sender: <xms:exNQYSkuWV-5XnvFn4j5OgNFItwYWrdnPo8PsGAF7M5r4JEjIV5FWQ> <xme:exNQYZ2ZMxzmCfpJUBCm5GnUjlcYjkyZyMD_k-LD4mleHtQoEHI_unEOW2CMJdi7J R2-HniqSOgwe3E0kA>
X-ME-Received: <xmr:exNQYQrOFxgngjbhai7_tXziDI3DmdypYxGlOixL8OwaLIpjWzMbiKnRMKme4-kSAaAbvR6Ybvq8whmQGybjkd-wV9fkqx8>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvtddrudejhedgtdefucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhephffktgggufffjgfvfhfosegrtdhmrehhtdejnecuhfhrohhmpefrhhhilhhi phhpvgcuffgvucfthigtkhcuoehphhhilhhiphhpvgesphhrrghgmhgrthhitgifvggssh gvtghurhhithihrdgtohhmqeenucggtffrrghtthgvrhhnpeekgfffkeehveekkeekkeef keelgfeihfeijeffieejgefhheetkedvudehvdetgfenucffohhmrghinhepphhrrghgmh grthhitgifvggsshgvtghurhhithihrdgtohhmpdhivghtfhdrohhrghdpfhhorhhgvghr ohgtkhdrtghomhdpmhgrnhhitghouggvrdgtohhmnecuvehluhhsthgvrhfuihiivgeptd enucfrrghrrghmpehmrghilhhfrhhomhepphhhihhlihhpphgvsehprhgrghhmrghtihgt figvsghsvggtuhhrihhthidrtghomh
X-ME-Proxy: <xmx:fBNQYWkiW4f6CaQIEEf1Vgxdq1LL61u8Dqq-fT1xPQjtlL7nLdzLWg> <xmx:fBNQYQ3Bx4WcvhWF9axq3ibOAOpzV4GGUl-HCI2rAK-0VzIILkIAOQ> <xmx:fBNQYdt8YSy22O7KagshjUEoFJBQPV85h-SJ5eiBwSoBhqgl1ChYyQ> <xmx:fBNQYd-xoljV98v-IbY6FnN35MbM4K3vW4_n_lFI_W9F7pxmcAT-Eg>
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Sun, 26 Sep 2021 02:30:19 -0400 (EDT)
From: Philippe De Ryck <philippe@pragmaticwebsecurity.com>
Message-Id: <CB89CE83-269A-44E6-AB27-A2BDA452EBD2@pragmaticwebsecurity.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_13CFCB1A-7A07-4905-AAD3-BDD5AD0C18B6"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.120.0.1.13\))
Date: Sun, 26 Sep 2021 08:30:17 +0200
In-Reply-To: <8645e6a3-6c23-05f0-2165-579d502109b7@manicode.com>
Cc: Neil Madden <neil.madden@forgerock.com>, oauth <oauth@ietf.org>
To: Jim Manico <jim@manicode.com>
References: <2EA892D6-D2F5-46AA-9B03-63F7AC4C5A69@manicode.com> <7306C2C0-DC84-4A0B-9344-EF238F6A7E44@forgerock.com> <8645e6a3-6c23-05f0-2165-579d502109b7@manicode.com>
X-Mailer: Apple Mail (2.3654.120.0.1.13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/8MHHYH-hrLn665aj2v5WRw3pvLo>
Subject: Re: [OAUTH-WG] Web apps BCP feedback
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 26 Sep 2021 06:30:31 -0000
That’s why cookies should be set with the __Host- prefix. In a carefully-designed API, CORS will function as a CSRF defense, even when the attacker is controlling a subdomain or sibling domain. Overall, I think the first part of 6.1 makes sense, but I don’t think the document should try to draw out such an architecture in 1 or 2 paragraphs at the end of that section. Philippe — Pragmatic Web Security Security for developers https://pragmaticwebsecurity.com > On 26 Sep 2021, at 00:15, Jim Manico <jim@manicode.com> wrote: > > Hi Neil! =) > > I get your point! > I would suggest this text be written as something along the lines of: > > "Additionally, the SameSite cookie attribute can be used to > prevent CSRF attacks but the application and API should also > be written to use anti-CSRF tokens for stateful session-based applications > or use of the double-cookie submit pattern for stateless applications.”' > > PS: If an adversary controls a subdomain can't they clobber and over-write root level cookies anyhow? I do not think CSRF defense will defeat an adversarial subdomains ability to over-write a cookie and circumvent double-cookie-submit. > > On 9/25/21 8:10 AM, Neil Madden wrote: >> Technically yes, CSRF refers to cross-site attacks. However, there is a class of attacks that are cross-*origin* but not cross-site and which are otherwise identical to CSRF. SameSite doesn’t protect against these attacks but other traditional CSRF defences *do*. For example, synchronizer tokens in hidden form fields or even just requiring a custom header on requests both provide some protection against such attacks, as they both use mechanisms that are subject to the same origin policy rather than same-site. >> >> — Neil >> >>> On 25 Sep 2021, at 18:20, Jim Manico <jim@manicode.com> <mailto:jim@manicode.com> wrote: >>> >>> If someone has taken over a subdomain in the ways described, that is not cross site request forgery since the attack is occurring from within your site. It’s more likely XSS that allows for cookie clobbering or similar, or just malicious code injected by the malicious controller of your subdomain. This is not strictly CSRF nor are these problems protected from any other standard form of CSRF defense. >>> >>> CSRF is Cross Site attack where the attack is hosted on a different domain. >>> >>> -- >>> Jim Manico >>> >>>> On Sep 25, 2021, at 1:07 AM, Dominick Baier <dbaier@leastprivilege.com> <mailto:dbaier@leastprivilege.com> wrote: >>>> >>>> >>>> In 6.1 it says >>>> >>>> "Additionally, the SameSite cookie attribute can be used to >>>> prevent CSRF attacks, or alternatively, the application and API could >>>> be written to use anti-CSRF tokens.” >>>> >>>> “Prevent” is a bit strong. >>>> >>>> SameSite only restricts cookies sent across site boundaries Iit does not prevent CSRF attacks from within a site boundary. Scenarios could be a compromised sub-domain, like sub-domain takeover or just some vulnerable application co-located on the same site. >>>> >>>> thanks >>>> ——— >>>> Dominick Baier >>>> _______________________________________________ >>>> OAuth mailing list >>>> OAuth@ietf.org <mailto:OAuth@ietf.org> >>>> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org <mailto:OAuth@ietf.org> >>> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth> >> >> Manage My Preferences <https://preferences.forgerock.com/>, Unsubscribe <https://preferences.forgerock.com/> > -- > Jim Manico > Manicode Security > https://www.manicode.com <https://www.manicode.com/>_______________________________________________ > OAuth mailing list > OAuth@ietf.org <mailto:OAuth@ietf.org> > https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
- [OAUTH-WG] Web apps BCP feedback Dominick Baier
- Re: [OAUTH-WG] Web apps BCP feedback Jim Manico
- Re: [OAUTH-WG] Web apps BCP feedback Neil Madden
- Re: [OAUTH-WG] Web apps BCP feedback Jim Manico
- Re: [OAUTH-WG] Web apps BCP feedback Philippe De Ryck
- Re: [OAUTH-WG] Web apps BCP feedback Neil Madden
- Re: [OAUTH-WG] Web apps BCP feedback Jim Manico
- Re: [OAUTH-WG] Web apps BCP feedback Neil Madden
- Re: [OAUTH-WG] Web apps BCP feedback Thomas Broyer