Re: [OAUTH-WG] Web apps BCP feedback
Neil Madden <neil.madden@forgerock.com> Sun, 26 September 2021 08:24 UTC
Return-Path: <neil.madden@forgerock.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6E3223A16EB for <oauth@ietfa.amsl.com>; Sun, 26 Sep 2021 01:24:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=forgerock.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uRF2EthnVjiu for <oauth@ietfa.amsl.com>; Sun, 26 Sep 2021 01:24:29 -0700 (PDT)
Received: from mail-wr1-x42d.google.com (mail-wr1-x42d.google.com [IPv6:2a00:1450:4864:20::42d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EAADF3A16E9 for <oauth@ietf.org>; Sun, 26 Sep 2021 01:24:28 -0700 (PDT)
Received: by mail-wr1-x42d.google.com with SMTP id g16so41541418wrb.3 for <oauth@ietf.org>; Sun, 26 Sep 2021 01:24:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=forgerock.com; s=google; h=from:mime-version:subject:date:message-id:references:cc:in-reply-to :to:content-transfer-encoding; bh=W6OWYVscMgN9dKc4JyjFY0YCcUobf0ujmsTyXO+kgQs=; b=ISVEOMrfGu1QU3qwfMWqDr+pY5SWQOD/pW3aMZFzUob7VQcIJvHb+/jKL8yf3v3RPN XufRw/0W1lc0PISSZmSRvv6lz3CwHntL2U8aStJGxiya8pqv6eCU3nVdm1LJE+ok6ykm AEtoWe50/kWUXCZBwRnshks/GQFgRDWXka0kA=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:mime-version:subject:date:message-id :references:cc:in-reply-to:to:content-transfer-encoding; bh=W6OWYVscMgN9dKc4JyjFY0YCcUobf0ujmsTyXO+kgQs=; b=GV4kFFmhjPmBDAoFrVmNnZr9lVDB5jhi9Hjo3K9xIyew4Rv1sUMpmmu8AzAfz79YRq nPic8NpjOIEgC4OwfKZXtiwcjNVq1DJ8fNLb48HxJletO9Sr3EsH1hMYA/uSqBd8/qqa uIPIKTp8Oj2cGqnqDRnIoS+A+zGl+6ppBdwPawC5q3eqB++EYlAwsQzM6pmLqd2y0OWG G2amKslMCHeN/51BKlmKWHMy73QJGcacFMiZeMAMjMlCos5b19LCdHQ1SEOXZTSAnfDN FX64txQYM8UORUik2vuoxfNgxrZUB7hYJFUeUEyAjTSrmX28wOY+IbSVAl3hRhSCKIlF NCOA==
X-Gm-Message-State: AOAM5312QyH3cqElO+PwePCXdCT5jXj8up6JcCOZemmeJYvnPJGh561o LE1FDTySExJZnWxtm3oU0X6FBCcH5DiR6h2ZgXUpHx0O0+igxUcPYWBWUjvp1qIvv1Bcs/+Farf 10Z3WTHGJm3TFGGMmBZ1Ovi09S23io+B1ACAI0hjXARNBOQ9mvgB48xwsg0xk/V9eOA==
X-Google-Smtp-Source: ABdhPJwoFZWZEddUOdaXGtUcHJEDxHnFbQtdm+6abCaz41NgyiXPmVANTgo2EzIa+cfE9+OCCZBjKQ==
X-Received: by 2002:a7b:cbce:: with SMTP id n14mr10335681wmi.169.1632644666776; Sun, 26 Sep 2021 01:24:26 -0700 (PDT)
Received: from smtpclient.apple (152.249.143.150.dyn.plus.net. [150.143.249.152]) by smtp.gmail.com with ESMTPSA id i2sm12920666wrq.78.2021.09.26.01.24.26 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sun, 26 Sep 2021 01:24:26 -0700 (PDT)
From: Neil Madden <neil.madden@forgerock.com>
Mime-Version: 1.0 (1.0)
Date: Sun, 26 Sep 2021 09:24:25 +0100
Message-Id: <9C0F9B3A-66A8-4C5E-9E5E-C01C919D4A83@forgerock.com>
References: <CB89CE83-269A-44E6-AB27-A2BDA452EBD2@pragmaticwebsecurity.com>
Cc: Jim Manico <jim@manicode.com>, oauth <oauth@ietf.org>
In-Reply-To: <CB89CE83-269A-44E6-AB27-A2BDA452EBD2@pragmaticwebsecurity.com>
To: Philippe De Ryck <philippe@pragmaticwebsecurity.com>
X-Mailer: iPhone Mail (18H17)
Content-Type: multipart/alternative; boundary="Apple-Mail-7E78CA2E-3710-42BD-B0C9-69D0E6010B74"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/ORXYgahQtIk8r3jEsek9b1KdrEQ>
Subject: Re: [OAUTH-WG] Web apps BCP feedback
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 26 Sep 2021 08:24:35 -0000
Right, cookie prefixes is one approach - but still has a little way to go on browser share [1]. In my book (have I mentioned my book? :-)), I show a variant of the double-submit cookie pattern in which the anti-CSRF token is a SHA-256 hash of the session cookie [2], which prevents the cookie being overridden. We should probably just defer to the security considerations in rfc6265-bis [3], which already discusses some limitations of SameSite and recommends it be used as a defence-in-depth alongside traditional defences. [1]: https://caniuse.com/?search=cookie%20prefix [2]: https://livebook.manning.com/book/api-security-in-action/chapter-4/181 [3]: https://tools.ietf.org/id/draft-ietf-httpbis-rfc6265bis-08.html#name-samesite-cookies — Neil > On 26 Sep 2021, at 07:30, Philippe De Ryck <philippe@pragmaticwebsecurity.com> wrote: > > That’s why cookies should be set with the __Host- prefix. > > In a carefully-designed API, CORS will function as a CSRF defense, even when the attacker is controlling a subdomain or sibling domain. > > Overall, I think the first part of 6.1 makes sense, but I don’t think the document should try to draw out such an architecture in 1 or 2 paragraphs at the end of that section. > > Philippe > > — > Pragmatic Web Security > Security for developers > https://pragmaticwebsecurity.com > >> On 26 Sep 2021, at 00:15, Jim Manico <jim@manicode.com> wrote: >> >> Hi Neil! =) >> >> I get your point! >> I would suggest this text be written as something along the lines of: >> >> "Additionally, the SameSite cookie attribute can be used to >> prevent CSRF attacks but the application and API should also >> be written to use anti-CSRF tokens for stateful session-based applications >> or use of the double-cookie submit pattern for stateless applications.”' >> >> PS: If an adversary controls a subdomain can't they clobber and over-write root level cookies anyhow? I do not think CSRF defense will defeat an adversarial subdomains ability to over-write a cookie and circumvent double-cookie-submit. >> >>> On 9/25/21 8:10 AM, Neil Madden wrote: >>> Technically yes, CSRF refers to cross-site attacks. However, there is a class of attacks that are cross-*origin* but not cross-site and which are otherwise identical to CSRF. SameSite doesn’t protect against these attacks but other traditional CSRF defences *do*. For example, synchronizer tokens in hidden form fields or even just requiring a custom header on requests both provide some protection against such attacks, as they both use mechanisms that are subject to the same origin policy rather than same-site. >>> >>> — Neil >>> >>>>> On 25 Sep 2021, at 18:20, Jim Manico <jim@manicode.com> wrote: >>>>> >>>> If someone has taken over a subdomain in the ways described, that is not cross site request forgery since the attack is occurring from within your site. It’s more likely XSS that allows for cookie clobbering or similar, or just malicious code injected by the malicious controller of your subdomain. This is not strictly CSRF nor are these problems protected from any other standard form of CSRF defense. >>>> >>>> CSRF is Cross Site attack where the attack is hosted on a different domain. >>>> >>>> -- >>>> Jim Manico >>>> >>>>>> On Sep 25, 2021, at 1:07 AM, Dominick Baier <dbaier@leastprivilege.com> wrote: >>>>>> >>>>> >>>>> In 6.1 it says >>>>> >>>>> "Additionally, the SameSite cookie attribute can be used to >>>>> prevent CSRF attacks, or alternatively, the application and API could >>>>> be written to use anti-CSRF tokens.” >>>>> >>>>> “Prevent” is a bit strong. >>>>> >>>>> SameSite only restricts cookies sent across site boundaries Iit does not prevent CSRF attacks from within a site boundary. Scenarios could be a compromised sub-domain, like sub-domain takeover or just some vulnerable application co-located on the same site. >>>>> >>>>> thanks >>>>> ——— >>>>> Dominick Baier >>>>> _______________________________________________ >>>>> OAuth mailing list >>>>> OAuth@ietf.org >>>>> https://www.ietf.org/mailman/listinfo/oauth >>>> _______________________________________________ >>>> OAuth mailing list >>>> OAuth@ietf.org >>>> https://www.ietf.org/mailman/listinfo/oauth >>> >>> Manage My Preferences, Unsubscribe >>> >> -- >> Jim Manico >> Manicode Security >> https://www.manicode.com >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth > -- Manage My Preferences <https://preferences.forgerock.com/>, Unsubscribe <https://preferences.forgerock.com/>
- [OAUTH-WG] Web apps BCP feedback Dominick Baier
- Re: [OAUTH-WG] Web apps BCP feedback Jim Manico
- Re: [OAUTH-WG] Web apps BCP feedback Neil Madden
- Re: [OAUTH-WG] Web apps BCP feedback Jim Manico
- Re: [OAUTH-WG] Web apps BCP feedback Philippe De Ryck
- Re: [OAUTH-WG] Web apps BCP feedback Neil Madden
- Re: [OAUTH-WG] Web apps BCP feedback Jim Manico
- Re: [OAUTH-WG] Web apps BCP feedback Neil Madden
- Re: [OAUTH-WG] Web apps BCP feedback Thomas Broyer