Re: [TEST] Test "POC for CSRF Token"

[Jacques Le Roux]

Hi Girish,

Thanks for asking!
I have read in several up to date places that it's better to have both. Notably when you use the lax option that I have left users to choice to, 
because this might be needed in some cases. So the CSRF token defense offers a second fence.

OWASP clearly explains why at:
https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#samesite-cookie-attribute

Other references:
https://security.stackexchange.com/questions/121971/will-same-site-cookies-be-sufficent-protection-against-csrf-and-xss
https://blog.worldline.tech/2018/07/02/same-site-cookie-a-new-protection-against-csrf.html
https://www.netsparker.com/blog/web-security/same-site-cookie-attribute-prevent-cross-site-request-forgery/

Note that if you want to avoid the heaviness and drawbacks of CSRF token defense (yes, though we made our best, there are some) you can use the 
NoCsrfDefenseStrategy. The Same Site Cookie Attribute being set to strict by default will save your back.  BTW this leads me to think that we can now 
use the NoCsrfDefenseStrategy on demos.

Jacques

Le 28/03/2020 à 10:39, Girish Vasmatkar a écrit :
Hi Jacques

I second your points. However, I have the following question -

Since you have explored and followed OWASP very extensively, do you think
with the introduction of same-site attribute, the whole concept of CSRF
token becomes somewhat redundant, provided almost every browser has the
support for this attribute now?
I haven't gone into too much detail, so my understanding on this is
limited. However, from what I understood, same-site has the ability to
become an all-in-one solution for CSRF attacks provided browsers honour it.

Best,
Girish


On Sat, Mar 28, 2020 at 2:39 PM Jacques Le Roux <
jacques.le.r...@les7arts.com> wrote:

Hi,

Of course, I have my own opinion. Here are my answers to these questions.

  1. By default in OFBiz the session timeout is 1 hour. After that, OFBiz
generates a new CSRF token before you sign in. I think for OFBiz
applications
     it's enough security. Of course we could have more fancy defenses like
banks which are using random numeric pads for authentication and two-factor
     authentication for important operations. Or companies like GitHub
which use two-factor authentication in case of machine or browser change. I
     don't think it's needed OOTB for OFBiz applications. Some users may
need it but it's then to them to implement what they specifically need. So
     random values generated by java.security.SecureRandom are safe enough
in my opinion.
  2. If someone tries to use a not auth protected request the CSRF defenses
(token + same-site) will not allow it from another domain if csrf-token is
     not set to false. That's already reassuring and we maybe not need to
worry much about the remaining 195 cases where auth="false". Because there
     are some obviously needed, like all those related to login or password
change. For the others it may turn out that they are also needed for other
     reasons. For them we need to test them one by one and in some case
need to set csrf-token to false, for instance in case of requests in an
     anonymous flow. So finally, despite the remaining 195 cases, it should
not be too hard and too long to decide on this.

Also note that with OFBIZ-11470 <
https://issues.apache.org/jira/browse/OFBIZ-11470> we are more secured,
in a CSRF perspective, with the same-site
cookie attribute. It's not perfect in itself, but according to OWASP, it's
the perfect duo for CSRF defense when associated with CSRF tokens.

I continue to work on the remaining 195 cases where auth="false"...

HTH

Jacques

Le 27/03/2020 à 19:16, Jacques Le Roux a écrit :
Hi All,

Before I create a PR as a last opportunity to allow reviews and tests,
I'd like to ask 2 last questions:
1. should we not use a JWT rather than a (pseudo) random value for the
CSRF token, this for timeout reason? Don't get me wrong I'm sure that the
    random values generated by java.security.SecureRandom, as currently
used, are safe enough. It's just that I wonder about the timeout. Should we
care?
2. In relation with OFBIZ-4956, we need to check the remaining 195 cases
where auth="false" and decide if we should change to "true", with the CSRF
    defense then used by default. In other cases (auth="false" must
remain) we need to decide if should set the CSRF token check to false.
Apart that my
https://github.com/JacquesLeRoux/ofbiz-framework/tree/POC-for-CSRF-Token-OFBIZ-11306
branch is ready to create a PR. We can't wait too
long about those 2 points, even if the 2nd needs a "bit" of work.
Anyway, for now I'll wait answers, and hopefully help for OFBIZ-4956.
Thanks

Jacques


Le 26/03/2020 à 07:39, James Yong a écrit :
+1 with CSRF defense enabled in Demo
Hi,

I thought about that a bit more. I suggest to let the stable version
(soon, R17) as is, ie with  CSRF defense enabled. This way users, mostly
interested in stable, would  see the real situation.

And to use the NoCsrfDefenseStrategy in trunk. So developers, often
brought to use the trunk for development reasons, would have more latitude;
as
they certainly will do locally.

If nobody disagree we will do so at
https://issues.apache.org/jira/browse/OFBIZ-11472 with Swapnil
If we do so, the link
https://demo-stable.ofbiz.apache.org/ordermgr/control/main?USERNAME=admin&PASSWORD=ofbiz&JavaScriptEnabled=Y
will no longer
work.

https://demo-stable.ofbiz.apache.org/ordermgr should be used and we
need to update https://ofbiz.apache.org/ofbiz-demos.html for that.
Jacques