search

webauthn-open-source / webauthn-simple-app

A simple WebAuthn / FIDO2 JavaScript application
https://apowers313.github.io/webauthn-simple-app/
MIT License
134 stars 20 forks source link

CSRF protection #6

Open madwizard-thomas opened 6 years ago

madwizard-thomas commented 6 years ago

Would it be necessary to protect the POST requests in this library with a CSRF token? The response can't be read from other security contexts but it might still be abused to wrongly trigger risk engines.

apowers313 commented 6 years ago

I've been thinking about that. I don't think it's direct attack, because the result messages contain a random challenge already (as part of the FIDO / WebAuthn protocol). But you may be right that the day a risk engine gets hooked up to this, it's possible to inject noise / increase risk scores through CSRF. Not an attack on its own, but perhaps part of a broader broader attack.

I aspire to write a XACML-style policy engine and an risk engine some day, so maybe this comes in to play as part of that.