krakenjs / lusca

Application security for express apps.
Other
1.78k stars 123 forks source link

Invalidate CSRF token #68

Open kumarmugu opened 8 years ago

kumarmugu commented 8 years ago

Hi I am using krakenJS and enabled CSRF. Currently I am able to reuse the generated csrf token in one page to another page(With in the user session only)

I don't want to reuse the token even within the user session. Can I invalidate the token somehow?

Is there anyway to do it lusca?

Thanks in advance

K.Mugunthan.

aredridel commented 8 years ago

That sounds a bit like you're trying to do more than mitigate a CSRF attack with it.

What are you trying to do?

jasisk commented 8 years ago

With the default token implementation, there is no way to first-class mechanism to invalidate the token. Invalidated only at the terminus of the session is sufficient as far as OWASP is concerned.

You could certainly provide your own token implementation (using the impl property of the options you pass to lusca.csrfsee the default implementation for the required signature) and make a nonce which you also store in their session as part of the data that is used to generate the token (should probably use an HMAC at that point).

kumarmugu commented 8 years ago

@aredridel I will try to explain my requirement with small example. I have two pages 1. user edit page, 2. offers edit page.

I should allow to use the token which is generated for user edit page in offer edit page.

@jasisk Thanks for your quick response. I have go through the default token.js and wrote the customized token file. I placed it in the /lib/csrfToken.js.

Now I am struggling to configure my implementation function. Can you please help me?

I want to supply implementation function in the argument. My application csrf configuration as follows:

"csrf": {
  "enabled": true,
  "priority": 111,
  "route": "/((?!api))*",
  "module": {
    "name": "lusca",
    "method": "csrf",
    "arguments": [ {"impl": Function} ]
  }
}

Thanks in advance

kumarmugu commented 8 years ago

Hi @jasisk

I Have specified my application configuration below.

"csrf": {
      "enabled": true,
      "priority": 111,
      "route": "/((?!api))*",
      "module": {
        "name": "lusca",
        "method": "csrf",
        "arguments": [ {"impl":"path:./lib/csrfToken"} ]
      }
    }

And I have changed Line 26th of https://github.com/krakenjs/lusca/blob/master/lib/csrf.js as follows. And it is picking my custom token generation function.

impl = require(options.impl) || token;

Is there any way to call my function without modifying lusca code.

Thanks.

aredridel commented 8 years ago

So why does this require invalidating the token, if both pages should use the same one?

kumarmugu commented 8 years ago

Really sorry. It's a typo. I should not allow.

Thanks.

aredridel commented 8 years ago

Ah, okay. That makes more sense. It doesn't really answer why though -- what are you trying to prevent? Sounds like more than CSRF attacks that you're trying to prevent.