REST service for generating CSRF token

[atulejko]

The solution with the separate REST service is not a security issue, but can have the following consequences:

1. The attacker can prepare a request invoking the service for the CSRF token generation, but cannot read the response because of the same-origin-policy (SOP). This is the case if the domain of the attacker is different from the domain that is attacked.
2. If the domains are the same, the attack attempt will be successful, because the web browser permits the scripts contained in a first web page to access data in a second web page if both web pages have the same origin. Additionally the mechanism of CORS i.e. extending the domains which are permitted to gain access, if this mechanism would be introduced, will lead to futher security leak.

[marpuch]

My two cents:

I think the biggest issue with a service offering a functionality of simply fetching a CSRF token with a GET request is that an insecure CORS configuration can completely destroy the whole CSRF protection. It must not be this way.

It is advised, that the CSRF token for Single Page Applications is returned once as a login result. This way the CSRF token is given additional protection by the users secret password, so no external resource can simply request the CSRF token again.

I think it's more an OASP4J topic, then OASP4JS. I'd close the issue here and open one for OASP4J.

[dumbNickname]

@marpuch :+1: CSRF token obtained on login seems to be reasonable and robust solution :).

[hohwille]

I think it's more an OASP4J topic, then OASP4JS. I'd close the issue here and open one for OASP4J.

I agree. Please create an issue in oasp4j, link here and then close this one. The backend can simply mark in the session if the token has already been obtained and refuse subsequent requests.

[marpuch]

Oasp4j issue has been created. This issue can be closed now.