GithubHelp home page GithubHelp logo

CsrfProtection weakness about forms HOT 5 CLOSED

foowie avatar foowie commented on July 23, 2024
CsrfProtection weakness

from forms.

Comments (5)

Majkl578 avatar Majkl578 commented on July 23, 2024

There should be probably expiration in CSRF session section, like 10/30 minutes or something like that.
Regeneration after login/logout should be imho done in user-land though.

from forms.

xificurk avatar xificurk commented on July 23, 2024

Well, there used to be optional parameter with timeout value, but it was removed (not sure why).

from forms.

dg avatar dg commented on July 23, 2024

Timeout is not proper solution.

from forms.

mishak87 avatar mishak87 commented on July 23, 2024

@dg Readme should reflect this issue and mention implementation details along with reasoning behind it. Apparently users assume it is implemented as Synchronizer Token Pattern but difference is that unique token is generated for whole session not per request.

@foowie Could you publish the that part of security review for future referrence?

TL;DR

CSRF implementation in Nette is only lightweight. If you are concerned with security you must implement your own CSRF token policy using Nette\Security\User::onLogin/onLogout and probably after receiving form.

Forms generate token only once for whole session. That prevents attacks on server that could lead to full memory or disk. Other solutions have more caveats either being complicated (out of scope for nette(/forms)), hard to implement along with AJAX or can open doors for DoS.

If you are concerned by people accessing your app from internet cafe I would suggest using HTTPS everywhere and reminding your users to logout along with using two level verification for critical actions.

Internet cafe argument is no longer valid it is 2014 not 1995. Anything with USB port that is not a extension cord cannot be trusted. That includes even cars that use same bus for control and media etc.

from forms.

foowie avatar foowie commented on July 23, 2024

@mishak87 Short description of vulnerability sent in review

CSRF tokens do not appear to be revoked on logout. This means that a user who accesses their
account on an untrusted computer should consider their account permanently compromised; while
they can revoke their session token by logging out, they cannot prevent CSRF attacks from an
attacker who recovers a CSRF token from the untrusted computer.

from forms.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.