search

yiisoft / csrf

PSR-15 middleware implementing CSRF protection
https://www.yiiframework.com/
BSD 3-Clause "New" or "Revised" License
23 stars 8 forks source link

Whether the package needs to be updated according to OWASP? #32

Open solventt opened 2 years ago

solventt commented 2 years ago

In the documentation you refer to OWASP: now only Synchronizer Token Pattern and Double Submit Cookie are actual there. HMAC Based Token Pattern and Encryption based Token Pattern were removed.

It should be understood that the Double Submit Cookie will require the configuration to use Yiisoft\Cookies\CookieMiddleware.

But maybe you shouldn't add the Double Submit Cookie pattern, because it seems to me that this thing is for rare use.

Steps to update:

1) To remove HMAC Based Token Pattern 2) To add Double Submit Cookie processing logic to the middleware (optional) 3) To write something like DoubleSubmitCsrfToken (optional) 4) To update the documentation

Draft with the Double Submit Cookie pattern :

final class CsrfMiddleware implements MiddlewareInterface
{
...

private bool $sendCookie = false;

...

public function process(ServerRequestInterface $request, RequestHandlerInterface $handler): ResponseInterface
{
    if ($this->token instanceof DoubleSubmitCsrfToken) {
        $cookieValues = $request->getCookieParams();
        $cookieValue = $cookieValues[$this->parameterName] ?? null;

        // the setValue() method is needed to validate the value later, if necessary
        // for example, "return hash_equals($this->getValue(), $token);"
        $cookieValue ? $this->token->setValue($cookieValue) : $this->sendCookie = true;
    }

    if (!$this->validateCsrfToken($request)) {
        $response = $this->responseFactory->createResponse(Status::UNPROCESSABLE_ENTITY);
        $response->getBody()->write(Status::TEXTS[Status::UNPROCESSABLE_ENTITY]);
        return $response;
    }

    $response = $handler->handle($request);

    return $this->sendCookie ?
           $this->token->getCsrfCookie($this->parameterName)->addToResponse($response) :
           $response;
}

Why are checks made before the validateCsrfToken method? OWASP requires the cookie to be set the first time the user visits the site: "When a user visits (even before authenticating to prevent login CSRF), the site should generate a (cryptographically strong) pseudorandom value and set it as a cookie on the user's machine separate from the session identifier."

samdark commented 2 years ago

HMAC Based Token Pattern and Encryption based Token Pattern were removed.

No. See the following paragraph:

A simpler alternative to an encrypted cookie is to HMAC the token with a secret key known only by the server and place this value in a cookie. This is similar to an encrypted cookie (both require knowledge only the server holds), but is less computationally intensive than encrypting and decrypting the cookie. Whether encryption or a HMAC is used, an attacker won't be able to recreate the cookie value from the plain token without knowledge of the server secrets.

samdark commented 2 years ago

But overall thanks for giving a link. Seems the guide was updated.