Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Whether the package needs to be updated according to OWASP? #32

Open
solventt opened this issue Nov 14, 2021 · 2 comments
Open

Whether the package needs to be updated according to OWASP? #32

solventt opened this issue Nov 14, 2021 · 2 comments
Labels
severity:security Affects security

Comments

@solventt
Copy link
Contributor

In the documentation you refer to OWASP: now only Synchronizer Token Pattern and Double Submit Cookie are actual there. HMAC Based Token Pattern and Encryption based Token Pattern were removed.

It should be understood that the Double Submit Cookie will require the configuration to use Yiisoft\Cookies\CookieMiddleware.

But maybe you shouldn't add the Double Submit Cookie pattern, because it seems to me that this thing is for rare use.

Steps to update:

1) To remove HMAC Based Token Pattern
2) To add Double Submit Cookie processing logic to the middleware (optional)
3) To write something like DoubleSubmitCsrfToken (optional)
4) To update the documentation

Draft with the Double Submit Cookie pattern :

final class CsrfMiddleware implements MiddlewareInterface
{
...

private bool $sendCookie = false;

...

public function process(ServerRequestInterface $request, RequestHandlerInterface $handler): ResponseInterface
{
    if ($this->token instanceof DoubleSubmitCsrfToken) {
        $cookieValues = $request->getCookieParams();
        $cookieValue = $cookieValues[$this->parameterName] ?? null;
        
        // the setValue() method is needed to validate the value later, if necessary
        // for example, "return hash_equals($this->getValue(), $token);"
        $cookieValue ? $this->token->setValue($cookieValue) : $this->sendCookie = true;
    }

    if (!$this->validateCsrfToken($request)) {
        $response = $this->responseFactory->createResponse(Status::UNPROCESSABLE_ENTITY);
        $response->getBody()->write(Status::TEXTS[Status::UNPROCESSABLE_ENTITY]);
        return $response;
    }

    $response = $handler->handle($request);

    return $this->sendCookie ?
           $this->token->getCsrfCookie($this->parameterName)->addToResponse($response) :
           $response;
}

Why are checks made before the validateCsrfToken method? OWASP requires the cookie to be set the first time the user visits the site: "When a user visits (even before authenticating to prevent login CSRF), the site should generate a (cryptographically strong) pseudorandom value and set it as a cookie on the user's machine separate from the session identifier."
@solventt solventt mentioned this issue Nov 14, 2021
Merged
@samdark samdark added the severity:security Affects security label Nov 17, 2021
@samdark
Copy link
Member

samdark commented Nov 18, 2021

HMAC Based Token Pattern and Encryption based Token Pattern were removed.

No. See the following paragraph:

A simpler alternative to an encrypted cookie is to HMAC the token with a secret key known only by the server and place this value in a cookie. This is similar to an encrypted cookie (both require knowledge only the server holds), but is less computationally intensive than encrypting and decrypting the cookie. Whether encryption or a HMAC is used, an attacker won't be able to recreate the cookie value from the plain token without knowledge of the server secrets.

@samdark
Copy link
Member

samdark commented Nov 18, 2021

But overall thanks for giving a link. Seems the guide was updated.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
severity:security Affects security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@samdark @solventt