SEAPUNK
commented
9 years ago +1
I don't quite understand the reasoning behind that as well.
Open marfire opened 9 years ago
SEAPUNK
commented
9 years ago +1
I don't quite understand the reasoning behind that as well.
frutality
commented
8 years ago +1 That would be nice if @pillarjs can explain this point.
bradfloodx
commented
8 years ago +1
jonathanong
commented
8 years ago if anyone wants to maintain this, i can add you as a collab. haven't had time to revise this yet.
SEAPUNK
commented
8 years ago I'm not a security expert, but I can contribute to discussion, and help keep this repo alive if needed.
dougwilson
commented
8 years ago Best way to start is with PRs, of course :
mikermcneil
commented
8 years ago @marfire @jonathanong @bradleyflood @frutality @SEAPUNK when we decided to add csrf support to Sails core, we exposed a /csrfToken endpoint. Since then, I've spent a bunch of time thinking about this, particularly in the past month as @irlnathan and I have been working on the last chapter of the Sails book which covers security. I can say with a fair degree of confidence that this is safe as long as you follow some ground rules: the only time you need to worry about exposing a JSON endpoint which dispenses CSRF tokens is if that endpoint is accessible via a browser from an untrusted domain (CORS or JSONP). That's because, if it is accessible cross-domain, then e.g. if you visit http://hack-my-sauce.com in your browser, JavaScript running on that page can send a cross-domain request to the CSRF endpoint: http://your-normal-site-about-sauce.com/csrfToken and access it. Once javascript running on a nasty webpage has access to your CSRF token, even if all of your other endpoints do not allow cross-domain access, it's over (because it can use that csrf token to e.g. inject a hidden form pointed at POST http://your-normal-site-about-sauce.com/dollars/transfer-all-away with a hidden form field containing your CSRF token, then submit it as you! Now there's no way the naughty site could retrieve the response (which is the only reason why CSRF works anyway), but it could still circumvent CSRF protection and trigger actions.
Here's an attempt to summarize that word salad above into a more straightforward format:
Happy to dig into this more if it would help anybody out (if I don't respond, just remind me on twitter).
mikermcneil
commented
8 years ago (One other major caveat is that nasty browser plugins and/or compromised native software running on a computer completely circumvent everything I discussed above)
jroitgrund
commented
7 years ago JSON hijacking is one of the possible attack vectors. See this stackoverflow answer.
If you are careful to follow the OWASP recommendation and always return an object such as { "token": "foo" } at the top-level of your JSON response, you need not worry about this.
cspotcode
commented
6 years ago JSON hijacking is also possible using a charset-based attacks. I just learned about it, but here's my attempt at an accurate summary.
A malicious site loads your AJAX endpoint via Githubissues.
In a couple places this document emphasizes the following point: Make sure CSRF tokens can not be accessed with AJAX! Don't create a /csrf route just to grab a token.
I don't see the attack vector here. Such an endpoint would be no more or less secure than the usual practice of embedding the token in a hidden form field. In both cases the Same Origin policy will prevent a foreign script from reading the value.
That is: in both cases a foreign script can send a
GETto that URL; in both cases the user's authentication cookie will be included, causing the server to return a valid CSRF token; and in both cases the browser's Same Origin policy will prevent the foreign script from reading the response to theGET, which keeps the token secure.