Re: [OAUTH-WG] Web apps BCP feedback
Jim Manico <jim@manicode.com> Sun, 26 September 2021 10:28 UTC
Return-Path: <jim@manicode.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BC1F03A1DF8 for <oauth@ietfa.amsl.com>; Sun, 26 Sep 2021 03:28:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=manicode.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Sg3pUh9j0wtY for <oauth@ietfa.amsl.com>; Sun, 26 Sep 2021 03:28:46 -0700 (PDT)
Received: from mail-pf1-x435.google.com (mail-pf1-x435.google.com [IPv6:2607:f8b0:4864:20::435]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B95E33A1DF5 for <oauth@ietf.org>; Sun, 26 Sep 2021 03:28:46 -0700 (PDT)
Received: by mail-pf1-x435.google.com with SMTP id c1so12975903pfp.10 for <oauth@ietf.org>; Sun, 26 Sep 2021 03:28:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=manicode.com; s=google; h=content-transfer-encoding:from:mime-version:subject:date:message-id :references:cc:in-reply-to:to; bh=uFTX8gyl1pxhc0a/YEhW+LPYUhmBXWuaJ+Su0THKSxQ=; b=bp14Pz4/W4taNODJAYv2/+L5FoTjzNv8tMmxpqEZ5WdvG/uHoD3C4OwtxJDztmxOju DoEqbOu3sdqraGEhJqCaf/UqUPlix1Ot32Qto5MHzjmx8Ze8vGa8nADh6j3rgz+rZIUt YrpWw6v+qfqk2VJRnu+g3+HmlX1NGrvyDHfj2vtv7Qw9xfy5lt+B+DobarBGaMdFvRHy WCuEkWIecutUQmQ0fgGQqWEXuw8ZPUP4PxRg31obc6HJMHAAn6P2AuT4zSxzFfTeC16d dZUh5hLj/Qr30KPEWCPSHNXaY60hcl3oWOlbLPYysbLLO+FrGSNOPhFtqYvS1ZikCzIj 79lw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:content-transfer-encoding:from:mime-version :subject:date:message-id:references:cc:in-reply-to:to; bh=uFTX8gyl1pxhc0a/YEhW+LPYUhmBXWuaJ+Su0THKSxQ=; b=jqthoRQeAmT8MkFcSvoh1zMRxzr/DDvEuqmyYU4dNJ8iWzTlrZWVPmBD2vUZt+bz+a ofP9xAlgswZqp0hJhndCkNgbD/ORiDYQVYZfR7BOgKcdHZPS08t0uHaTVcfe8eGJX33X huXnQi1U4Pm3PMeLTG//n8bEbajlV10GWWGEWxsR06h4ZkrQ1+VJWOWxcrCAiTgeT6Xl pbUx3TAbHBvDoENAC/Ub1JZFZKiNdOcughmSMfqgHlYcgqFFn4dXcx98fNqK/+af2PDI bze1L2zSDvqo01iqDeRd2dEZhyorH5xI6FUEOmAP7YfZZN8VfDZRpTzMZmxR2Pebad49 Ciew==
X-Gm-Message-State: AOAM530inQb3oslqKwSy+hoInlv3ouyaY3Lsj/VttI/cZ8vGVCNp0CTi Dx3Bl0f7O1IUCmJCgNBVzm9CuQ==
X-Google-Smtp-Source: ABdhPJz5R1duvJUsWNhwPbp82EGpnYZ8Q+S5+rYSnHFyTU42k5YGXhcScaRDm0gQPzSnW5/BHnQ4Pw==
X-Received: by 2002:a63:cd48:: with SMTP id a8mr11987169pgj.180.1632652125515; Sun, 26 Sep 2021 03:28:45 -0700 (PDT)
Received: from smtpclient.apple (204-210-127-015.res.spectrum.com. [204.210.127.15]) by smtp.gmail.com with ESMTPSA id m28sm15487319pgl.9.2021.09.26.03.28.44 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sun, 26 Sep 2021 03:28:44 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail-7D8A37CD-1851-4C5F-B6EE-93947C73A505"
Content-Transfer-Encoding: 7bit
From: Jim Manico <jim@manicode.com>
Mime-Version: 1.0 (1.0)
Date: Sun, 26 Sep 2021 00:28:43 -1000
Message-Id: <551F796F-0693-47BA-8A60-15ED2FA5AD7D@manicode.com>
References: <9C0F9B3A-66A8-4C5E-9E5E-C01C919D4A83@forgerock.com>
Cc: Philippe De Ryck <philippe@pragmaticwebsecurity.com>, oauth <oauth@ietf.org>
In-Reply-To: <9C0F9B3A-66A8-4C5E-9E5E-C01C919D4A83@forgerock.com>
To: Neil Madden <neil.madden@forgerock.com>
X-Mailer: iPhone Mail (19A346)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/OSyPVP1yP7n4OAfjTM4XKAafgpY>
Subject: Re: [OAUTH-WG] Web apps BCP feedback
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 26 Sep 2021 10:28:53 -0000
> That’s why cookies should be set with the __Host- prefix. You can also set the domain of a cookie to actually be a host (subdomain). Does that also prevent subdomains from clobbering root directory cookies? PS: I realize this is close to off topic, my last comment on this. - Jim Manico > On Sep 25, 2021, at 10:24 PM, Neil Madden <neil.madden@forgerock.com> wrote: > > > Right, cookie prefixes is one approach - but still has a little way to go on browser share [1]. > > In my book (have I mentioned my book? :-)), I show a variant of the double-submit cookie pattern in which the anti-CSRF token is a SHA-256 hash of the session cookie [2], which prevents the cookie being overridden. > > We should probably just defer to the security considerations in rfc6265-bis [3], which already discusses some limitations of SameSite and recommends it be used as a defence-in-depth alongside traditional defences. > > [1]: https://caniuse.com/?search=cookie%20prefix > [2]: https://livebook.manning.com/book/api-security-in-action/chapter-4/181 > [3]: https://tools.ietf.org/id/draft-ietf-httpbis-rfc6265bis-08.html#name-samesite-cookies > > — Neil > >>> On 26 Sep 2021, at 07:30, Philippe De Ryck <philippe@pragmaticwebsecurity.com> wrote: >>> >> That’s why cookies should be set with the __Host- prefix. >> >> In a carefully-designed API, CORS will function as a CSRF defense, even when the attacker is controlling a subdomain or sibling domain. >> >> Overall, I think the first part of 6.1 makes sense, but I don’t think the document should try to draw out such an architecture in 1 or 2 paragraphs at the end of that section. >> >> Philippe >> >> — >> Pragmatic Web Security >> Security for developers >> https://pragmaticwebsecurity.com >> >>> On 26 Sep 2021, at 00:15, Jim Manico <jim@manicode.com> wrote: >>> >>> Hi Neil! =) >>> >>> I get your point! >>> I would suggest this text be written as something along the lines of: >>> >>> "Additionally, the SameSite cookie attribute can be used to >>> prevent CSRF attacks but the application and API should also >>> be written to use anti-CSRF tokens for stateful session-based applications >>> or use of the double-cookie submit pattern for stateless applications.”' >>> >>> PS: If an adversary controls a subdomain can't they clobber and over-write root level cookies anyhow? I do not think CSRF defense will defeat an adversarial subdomains ability to over-write a cookie and circumvent double-cookie-submit. >>> >>>> On 9/25/21 8:10 AM, Neil Madden wrote: >>>> Technically yes, CSRF refers to cross-site attacks. However, there is a class of attacks that are cross-*origin* but not cross-site and which are otherwise identical to CSRF. SameSite doesn’t protect against these attacks but other traditional CSRF defences *do*. For example, synchronizer tokens in hidden form fields or even just requiring a custom header on requests both provide some protection against such attacks, as they both use mechanisms that are subject to the same origin policy rather than same-site. >>>> >>>> — Neil >>>> >>>>>> On 25 Sep 2021, at 18:20, Jim Manico <jim@manicode.com> wrote: >>>>>> >>>>> If someone has taken over a subdomain in the ways described, that is not cross site request forgery since the attack is occurring from within your site. It’s more likely XSS that allows for cookie clobbering or similar, or just malicious code injected by the malicious controller of your subdomain. This is not strictly CSRF nor are these problems protected from any other standard form of CSRF defense. >>>>> >>>>> CSRF is Cross Site attack where the attack is hosted on a different domain. >>>>> >>>>> -- >>>>> Jim Manico >>>>> >>>>>>> On Sep 25, 2021, at 1:07 AM, Dominick Baier <dbaier@leastprivilege.com> wrote: >>>>>>> >>>>>> >>>>>> In 6.1 it says >>>>>> >>>>>> "Additionally, the SameSite cookie attribute can be used to >>>>>> prevent CSRF attacks, or alternatively, the application and API could >>>>>> be written to use anti-CSRF tokens.” >>>>>> >>>>>> “Prevent” is a bit strong. >>>>>> >>>>>> SameSite only restricts cookies sent across site boundaries Iit does not prevent CSRF attacks from within a site boundary. Scenarios could be a compromised sub-domain, like sub-domain takeover or just some vulnerable application co-located on the same site. >>>>>> >>>>>> thanks >>>>>> ——— >>>>>> Dominick Baier >>>>>> _______________________________________________ >>>>>> OAuth mailing list >>>>>> OAuth@ietf.org >>>>>> https://www.ietf.org/mailman/listinfo/oauth >>>>> _______________________________________________ >>>>> OAuth mailing list >>>>> OAuth@ietf.org >>>>> https://www.ietf.org/mailman/listinfo/oauth >>>> >>>> Manage My Preferences, Unsubscribe >>>> >>> -- >>> Jim Manico >>> Manicode Security >>> https://www.manicode.com >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >> > > Manage My Preferences, Unsubscribe >
- [OAUTH-WG] Web apps BCP feedback Dominick Baier
- Re: [OAUTH-WG] Web apps BCP feedback Jim Manico
- Re: [OAUTH-WG] Web apps BCP feedback Neil Madden
- Re: [OAUTH-WG] Web apps BCP feedback Jim Manico
- Re: [OAUTH-WG] Web apps BCP feedback Philippe De Ryck
- Re: [OAUTH-WG] Web apps BCP feedback Neil Madden
- Re: [OAUTH-WG] Web apps BCP feedback Jim Manico
- Re: [OAUTH-WG] Web apps BCP feedback Neil Madden
- Re: [OAUTH-WG] Web apps BCP feedback Thomas Broyer