tags:

views:

469

answers:

7
+6  Q: 

Isn't CSRF a browser security issue?

Regarding cross-site request forgery (CSRF) attacks, if cookies are most used authentication method, why do web browsers allow sending cookies of some domain (and to that domain) from a page generated from another domain?

Isn't CSRF easily preventable in browser by disallowing such behavior?

As far as I know, this kind of security check isn't implemented in web browsers, but I don't understand why. Did I get something wrong?

About CSRF:

Edit: I think that cookies should not be sent on http POST in the above case. That's the browser behavior that surprises me.

+4  A: 

It isn't that a browser is sending the cookie to or from an outside domain, it's the fact that you're authenticated and the site isn't validating the source of the request, so it treats it as if the request came from the site.

As far as whether a browser should disallow that... what about the many situations where cross-site requests are desirable?

Edit: to be clear, your cookie is not sent across domains.

eyelidlessness  2008-10-22 00:30:00
>what about the many situations where cross-site requests are desirable?You mean where your actions on a page from one domain cause actions on another domain? That should be allowed, but why send the cookies (which contain authentication - and capabilities). I'm surprised!
Kresimir Cosic  2008-10-22 00:37:29
What is that 'desirable situation' for cross-site scripting that requires the mentioned cookies?
Kresimir Cosic  2008-10-22 00:40:24
The cookies are not sent.
eyelidlessness  2008-10-22 00:44:26
+2  A: 

I don't know that there's much the browser can do in that situation since the point of an XSRF attack is to direct the browser to another point in the application that would perform something bad. Unfortunately, the browser has no idea whether or not the request it's being directed to send is malicious or not. For example, given the classic example of XSRF:

<img src="http://domain.com/do_something_bad" />

it's not apparent to the browser that something bad is happening. After all, how is it to know the difference between that and this:

<img src="http://domain.com/show_picture_if_authenticated" />
Jason Baker  2008-10-22 00:58:33
There is no difference; both should fail (because the browser should not send authentication cookies). Why should one site by default be able to display your login status of ANOTHER site??
Kresimir Cosic  2008-10-22 08:23:19
Why shouldn't it? It is only showing the information to you.
Chris Marasti-Georg  2008-10-22 13:13:37
Sorry, I got carried away. What I would expect from a web browser is not to send cookies with POST in the described case. That way no ACTION can be taken by page from another domain.
Kresimir Cosic  2008-10-22 18:08:32
So, in the above example "do_something_bad" should not do anything (if it does, it is website programmer's error) because it is a http GET command.But then... do cookies really get sent with POST action on a page from another domain? I mean I would really really expect this to be disallowed.
Kresimir Cosic  2008-10-22 18:10:14
+3  A: 

Why wouldn't the browser send cookies?

Site A (http://www.sitea.com) sets a cookie for the user.

User navigates to site B (http://www.siteb.com). Site B features integration with site A - click here to do something on site A! The users clicks "here".

As far as the browser can tell, the user is making a conscious decision to make a request to site A, so it handles it the same way it would handle any request to site A, and that includes sending site A cookies in the request to site A.

Edit: I think the main issue here is that you think there is a distinction between authentication cookies and other cookies. Cookies can be used to store anything - user preferences, your last high score, or a session token. The browser has no idea what each cookie is used for. I want my cookies to always be available to the site that set them, and I want the site to make sure that it takes the necessary precautions.

Or are you saying that if you search yahoo for "gmail", and then click on the link that takes you to http://mail.google.com, you shouldn't be logged in, even if you told gmail to keep you logged in, because you clicked on the link from another site?

Chris Marasti-Georg  2008-10-22 00:59:10
>Site B features integration with site A - click here to do something on site A! The users clicks "here". --- Yes, but not actions that require your authentication on site A. Such actions should be disallowed. This kind of 'integration' immediately looks like a big security issue.
Kresimir Cosic  2008-10-22 08:17:53
I understand that there is no distinction between authentication cookies and other cookies. Thanks for a nice example about gmail, that almost answers my question. But I still think that authentication cookies should not be sent with POST in the described case.
Kresimir Cosic  2008-10-22 18:03:19
That way you could see that you are logged in on a page on another domain, but you couldn't do any ACTION from another domain.
Kresimir Cosic  2008-10-22 18:04:05
In fact, I didn't understand the gmail example completely. If you log on mail.google.com, then you are logged there or on whole google.com domain, depending on the domain of the cookie. You are logged there whenever you visit that domain, until you click on 'logout', which deletes the cookie.
Kresimir Cosic  2008-10-22 18:16:39
Perhaps I just have different opinion on this problem. I expect some behavior, which emphasizes security, while everybody else expects some other behavior, which emphasizes... convenience ... and problems for web programmers (more code needed to prevent attacks...).
Kresimir Cosic  2008-10-22 18:21:59
I mean, in the end it turns out, with CSRF, that a website cannot authorize users based on cookie information only... strange, way to strange for me. I would not expect that. I mean, cookies seem to me as the right tool for authentication, if there were no CSRF problems.
Kresimir Cosic  2008-10-22 18:27:18
Changed the example to be cross-domain.
Chris Marasti-Georg  2008-10-22 18:28:47
I still don't think example is right. If you are logged on gmail, then go to yahoo, then follow a link back to gmail, at that moment you are (still) logged onto gmail because:a) cookie is still there b) following a link is a http GET command.
Kresimir Cosic  2008-10-22 18:36:30
I think this would just give developers a false sense of security. Anyone who knows enough to use POSTs instead of GETs to modify data should know to be aware of XSRF. This would still leave less security-minded developers (who use GETs for important actions) vulnerable.
Chris Marasti-Georg  2008-10-22 18:54:12
Well, I can't agree on this last comment. If POSTs (as described) do not send cookies, then security becomes relatively simple for most developers: use cookies, use GET and POST as per http spec. Simple and no significant drawbacks.
Kresimir Cosic  2008-10-22 19:03:12
Anyway, if I don't get a better answer, I will promote this answer to accepted, since that google example at least answers my original question.
Kresimir Cosic  2008-10-22 19:04:00
But it is not actually a very good answer... To recapitulate your answer: "Allowing integration" that can be soo easily exploited ---The user doesn't make any concious decision, posts can be done automatically with javascript.
Kresimir Cosic  2008-10-22 19:10:30
The authentication vs other cookies - most uses and most significant uses for cookies are identification or authentication ... Google and yahoo example is ok.
Kresimir Cosic  2008-10-22 19:11:56
I have a web site with an API. A friend is working on an application that is currently read only, but I wouldn't be opposed to him adding write functionality. In your world, I wouldn't be able to do this. As it is, I can implement a method that blocks CSRF, but white-lists him.
Chris Marasti-Georg  2008-10-22 19:47:43
+1  A: 

A lot of the old protocols have big security holes -- think back to the recently-discovered DNS vulnerabilities. Like basically any network security, it's the responsibility of the end-points; yeah, it sucks that we have to fix this ourselves, but it's a lot harder to fix at the browser level. There are some obvious ones (<img src="logoff.php"> looks damn fishy, right?), but there will always be edge cases. (Maybe it's a GD script in a PHP file after all.) What about AJAX queries? And so on...

ojrac  2008-10-22 01:48:48
+1  A: 

The cookies for a site are never sent to another site. In fact, to implement a successful CSRF attack, the attacker does not need to have access to these cookies.

Basically, an attacker tricks the user, who is already logged in to the target website, into clicking a link or loading an image that will do something on the target site with that user's credentials.

I.e., the user is performing the action, and the attacker has tricked the user into doing so.

Lucas Oman  2008-10-22 02:01:50
A: 
anjanb  2008-10-22 02:36:18
A: 

Some people have said they don't think there's a lot the browser can do.

See this:

http://people.mozilla.org/~bsterne/content-security-policy/origin-header-proposal.html

It's an overview of a proposal for a new HTTP header to help mitigate CSRF attacks.

The proposed header name is "Origin" and it's basically the "Referer" header minus the path, etc.

noob source  2008-11-01 08:47:25

related questions

Make Browser Window Blink in Task Bar
Large File Download
Browser's Default CSS
Disable browser 'Save Password' functionality
What's the simplest way to decremement a date in Javascript by 1 day?
Browser scrollbar
Limitations of screen readers.
Version detection with Silverlight
Best way to fix CSS/JS drop-down problem in IE7 when page includes Google Map
Recommendations for browser add-on tools to help with development
Hyperlinks displaced on IE7
Building Standalone Applications in JavaScript
HTML differences between browsers
Browser Sync accross many machines
Getting selected text in a browser, cross-platform.
How to get PNG transparency working in browsers that don't natively support it?
Best WYSIWYG CSS editor?
Javascript events
Preferred way to use favicons?
IE6: To support or not to support.
Getting the text from a drop-down box
Other browsers
Drag and Drop to a hosted Browser control
How can I tell if a web client is blocking ads?
How can I determine a web user's time zone?