jpadilla / django-rest-framework-jwt

JSON Web Token Authentication support for Django REST Framework
http://jpadilla.github.io/django-rest-framework-jwt/
MIT License
3.19k stars 652 forks source link

JWT_AUTH_COOKIE makes APIs CSRF vulnerable. #338

Open mohsen-mahmoodi opened 7 years ago

mohsen-mahmoodi commented 7 years ago

Using the JWT_AUTH_COOKIE is vulnerable to CSRF attacks and this is not mentioned in the documentation nor mitigated against in the code.

angvp commented 7 years ago

How is that? please explain.

Radobilly commented 7 years ago

Maybe by brute forcing the default hs256 JWT_ALGORITHM as mentioned here and here

angvp commented 7 years ago

@mahmoodi ? input please.

klis87 commented 7 years ago

@mahmoodi is right. Because JWT is saved in a cookie, it will be automatically sent with every request, causing successful authentication without any need to add JWT to request header by the application. Because of this, it is generally vulterable to CSRF in exactly the same way as usual cookie session, so actually there is no need to provide any example here as general CSRF vulnarability examples could be applied here.

angvp commented 7 years ago

Hey @klis87 thanks for jump in, yeah I got that from @Radobilly's links and some googling .. I will write some docs and will update this ticket so you can proofread and add/delete more info to the main docs.

AdamStelmaszczyk commented 7 years ago

Please correct me if I'm wrong, but seems to me that default Django CSRF protection, if used correctly, prevents problems:

https://docs.djangoproject.com/en/1.11/ref/csrf/

https://stormpath.com/blog/where-to-store-your-jwts-cookies-vs-html5-web-storage also says that:

Leveraging your web app framework’s CSRF protection makes cookies rock solid for storing a JWT.

Update:

Ah ok, I see one more thing now. Django's CSRF tokens will be generated if one has django.middleware.csrf.CsrfViewMiddleware, but they get ignored when using JSONWebTokenAuthentication. So yes, it looks like JWT cookie is vulnerable to CSRF.

EduardoNogueira commented 6 years ago

Any update on this?

bmpenuelas commented 6 years ago

I noticed this risk and created a pull request adding an option to handle csrf protection when using JWT in http-only cookie.

Now I see it's an open issue, for those interested, check out https://github.com/GetBlimp/django-rest-framework-jwt/pull/434 and maybe we can close this.

CapedHero commented 6 years ago

Perhaps this post might be illuminating?

bmpenuelas commented 6 years ago

It is @CapedHero, that is the behaviour that you get when using #434.

PaulDFPV commented 6 years ago

As well as requiring CSRF protection, shouldn't JWT_AUTH_COOKIE also be set with the Secure flag?

bmpenuelas commented 6 years ago

The Secure flag prevents the cookie from being sent over non-https connections, protecting it from eavesdropping among other things. Some users might want to protect their apps from CSRF and XSS while allowing them to work over http. In that case, the Secure flag would not be a suitable choice.

That said, using https and the Secure flag is of course advisable whenever possible.

PaulDFPV commented 6 years ago

Perhaps use the Secure flag by default and have an option to turn it off then?

pou426 commented 5 years ago

There is currently no way to customise the cookie settings. It would be really useful to have the choice to set them, especially the secure and samesite flags. Thanks!

bmpenuelas commented 5 years ago

Yes @pou426 you can customize it the way you want using CSRF_COOKIE_SECURE and CSRF_COOKIE_SAMESITE respectively.