Protect login from CSRF attack?

[edwardotis]

AFAIKT, the grails' withForm method is not available when using /j_spring_security_check to log users in.

How can we protect our apps from CSRF during login when using grails-spring-security-core? http://docs.spring.io/spring-security/site/docs/current/reference/html/csrf.html#csrf-login

Using: grails 2.5.4

Thanks,

Ed

[virtualdogbert]

I'm curious about this, because why would you bother trying to protect your login from csrf. From what I understand the whole point of csrf is someone is trying to exercise a command, through you because you are already logged in, like for example update password. So the form for updating your password should have csrf protection not the login. Or is there some other possible exploit an attacker could use it the context of csrf and logging in.

[puneetbehl]

Yes, you need to secure your login forms from CSRF attacks just as any other. Otherwise your site is vulnerable to a sort of "trusted domain phishing" attack. In short, a CSRF-vulnerable login page enables an attacker to share a user account with the victim.

The vulnerability plays out like this:

1. The attacker creates a host account on the trusted domain
2. The attacker forges a login request in the victim's browser with this host account's credentials
3. The attacker tricks the victim into using the trusted site, where they may not notice they are logged in via the host account
4. The attacker now has access to any data or metadata the victim "created" (intentionally or unintentionally) while their browser was logged in with the host account

Please read more here

[virtualdogbert]

Cool thanks for replying. with the app I'm currently working on this wouldn't be a likely scenario, because only users can't sign-up for accounts. In order to pull this off you would need to be a customer Account admin, or a admin. But at least I know know the reasoning behind wanting this, and it should be a part of spring security.