I have a web site which is accessible under two separate domains, say a.x.com and b.x.com, or a.com and a.org (accomplished via a simple ServerAlias in apache).
The CSRF token can only be set to one of the domains (let's say a.x.com), so when accessing b.x.com I always get a 403: CSRF verification failed.
What is the proper way to handle domain aliases in the presence of CSRF tokens?
Have you had a look at setting the CSRF_COOKIE_DOMAIN in the settings.py? Django docs for it are here: https://docs.djangoproject.com/en/dev/ref/contrib/csrf/#csrf-cookie-domain
Set it to '.x.com' and CSRF cookies for both subdomains will work on either.
Related
I have rest api which is publicly available with REST API key authentication, but I want to allow private network to access api without authentication. Is it safe to add global CORS
Access-Control-Allow-Origin: *
Note that I am doing authentication in haproxy:
acl private_ip src -m reg -i (^127\\.0\\.0\\.1)|(^10.*)|(^172\\.1[6-9].*)|(^172\\.2[0-9].*)|(^172\\.3[0-1].*)|(^192\\.168.*)|(^::1$)|(^[fF][cCdD])|(0:0:0:0:0:0:0:1)
I read that setting CORS "*" could cause some security issues in case when there is IP authentication, but as I am not sure how "src" IP address in haproxy is obtained I can't be sure if this security risk is present in my case?
It is strongly recommended against to use IP authentication and a permissive CORS policy together.
CORS allows for script on a page served from one host to process a response from a call to a resource on another host when normally a well-behaved browser would stop script on the page from reading the response. For example where a page on webserver.com includes an AJAX call to a resource on api-server.com.
CORS is enforced by the browser, so if your attacker can make a call to your API then they are able to ignore your CORS header, and this is transitive to anything they can get another user to do by serving them a malicious page.
API authentication (whether by token or by IP) is a server-side protection that allows you to filter your response to the request. Consider the case where your attacker has access to your network. They can make a request to your API and your IP authentication lets them get the data. CORS is not the solution to that, but you of course secure your network well and only your users have access to it.
However, if the attacker controls a website (say, compromised.example.com) then they can send a user on your network a link to their page. When your user goes to the page, they are served a script that makes a call to your API. Because you permit the request based on IP, you provide the response.
This is where CORS comes in. If you have a header allowing '*' on your API responses, then the browser on your network will happily provide the requesting page (served from the attacker who is not on your network) with the response.
So the attacker has unauthenticated access to your API if they can get one of your network's users to browse to their malicious page and exfiltrate any responses that a user on your network can get.
I am building an oauth login flow and I am not sure if I have done it wrong because I will need to send the bearer token back via redirect URL, like /oauth2/redirect?token=[TOKEN]. But isn't it not recommended to have token passed along through URL? As it is pointed out in this thread:
Don't pass bearer tokens in page URLs: Bearer tokens SHOULD NOT be passed in page URLs (for example, as query string parameters).Instead, bearer tokens SHOULD be passed in HTTP message headers or message bodies for which confidentiality measures are taken. Browsers, web servers, and other software may not adequately secure URLs in the browser history, web server logs, and other data structures. If bearer tokens are passed in page URLs, attackers might be able to steal them from the history data, logs, or other unsecured locations.
I must have missed something in the whole flow and would like to understand more about this matter. Any input is appreciated!
UPDATE
Might not be correct but this is my understanding after some digging. The three means to pass token:
URL (not preferable)
Auth header
Request body
But under the oauth redirect use case, option 2 and 3 not feasible. So option 1 is the only option available. If really needed, token can be encrypted to ensure security.
I think this only means, that you should not use a GET request when the server requires the token, instead you should use POST or whatever is appropriate. In a GET request the parameters are included in the URL and those can end up in logs or other histories, other request types will send the paramters separat from the request URL.
P.S. BTW if you are not implementing the OAuth server yourself, you won't have to send a redirect url containing the token.
The basic auth header which provides a little extra security as it's required to be through TLS:
In the case of a "Basic" authentication like shown in the figure, the exchange must happen over an HTTPS (TLS) connection to be secure.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Authentication
Also, the headers aren't logged in easy places like browser history.
From the spec,
it SHOULD NOT be used
unless it is impossible to transport the access token in the
"Authorization" request header field or the HTTP request entity-body.
https://www.rfc-editor.org/rfc/rfc6750#section-2.3
This is not about wildcard domains. It's about the need to add completely different domains to Valid OAuth redirect URIs on Facebook Login.
We have a web app where our clientes can setup their own custom domain (example.com, xyz.net, etc). We don't know what domains will be used.
On Facebook we have a single app that takes care of the Facebook login. It seems that we need to whitelist specifically every domain that uses the FB Login.
Adding the domains manually is not an option. What options do we have?
Thanks.
The simplest solution that I can think of is to use an intermediate identity service with a very lax redirect uri validation. There is a good discussion of this approach and some of the security concerns with it in relation to IdentityServer4.
I have used custom redirect uri validation for an identity service before but only for very restrictive cases as this is one of most exploited vulnerabilities in an OAuth flow. The flexibility that you would need would weaken security considerably.
To implement it in IdentityServer4 you would set up Facebook authentication on the identity server and register the identity server's address with Facebook. You would then create clients to represent your new domains. This could be a single client for everything (making things more insecure still) or you could add a way for your clients to register themselves with the identity server (for instance dynamic client registration).
When a client wants to connect to Facebook they will use Open Id Connect to connect to the identity server which will then communicate with Facebook. In IdentityServer4 the client would add middleware for this with UseOpenIdConnectAuthentication (see here for an example).
Long story should you can resolve your issue by using an intermediate identity service. The identity service will be the only url that needs to be registered to Facebook and your clients will register with your identity service which you will have control over.
With great power comes great responsibility though. Taking the path of least effort will lead to a solution that lowers security considerably. Enforcing a secure dynamic registration with the identity service such as dynamic client registration protocol will allow you to use a single strict redirect uri per client and make your system about as secure as you can reasonably get it.
I'm struggling with setting up reliable and performant solution to communicate frontend with different microservices. I do not really now how to maintain (maybe not need) CSRF between my frontend and end services
Solutions stack: PHP, Laravel Passport, JWT, oAuth 2.0, Axios
Current approach:
Actually I've started up with approach from Laravel's passport
https://laravel.com/docs/5.4/passport#consuming-your-api-with-javascript
Using oAuth 2.0 to authorize user from website A to service B.
JWT token is returned for further communication.
Token is saved in cookie within website A
Once user is authorized website A uses JWT token to manage requests without additional to oAuth server, by sending JWT token as cookie using HTTP headers (withCredentials) to authorize user.
For each website A's request there was CSRF token created from service B since user is authorized and cookie could be applied by another unauthorized website to access service B. That was killing my performance since it has to retrieve CSRF for each request made. (that what I actually assume from laravel passport approach and need to create CSRF with JWT token - maybe that was mistake)
My concerns:
Regarding to of James Ward post:
http://www.jamesward.com/2013/05/13/securing-single-page-apps-and-rest-services
The easiest way to do authentication without risking CSRF
vulnerabilities is to simply avoid using cookies to identify the user.
Cookies themselves are not the cause of CSRF vulnerabilities. It’s
using the cookies on the server to validate a user that is the cause
of CSRF. Just putting an authentication token into a cookie doesn’t
mean it must be used as the mechanism to identify the user.
From my understanding setting JWT with website A's cookie with its domain set could not be accessed via any other site from outside. Since that there is no possible way to make request to service B without accessing JWT.
So do we really need CSRF then to secure potential attack to service B while using JWT?
If so, how could I achieve the best (in term of performant) way to generate CSRF through different services to be sure that communication would not be vulnerable for attack from different sites?
Any advice will be appreciated!
As a more broad question I would like to ask what is the current best strategy for securing a website login. I know all of the basics, like salting a password, hashing the password, and using SSL to encrypt the transmission, but I feel that may not always be enough. What are the best, "hack-proof" methods out there?
Your points are already the most important ones, additionally you can do this:
Use a slow key derivation function like BCrypt to hash the password.
Add the X-Frame-Options to the HTTP header of your login page, so that the page cannot be shown inside an iframe. This can help against clickjacking. In PHP this would look like that: header('X-Frame-Options: DENY');.
Add the Content-Security-Policy to the HTTP header of your login page. If a browser supports CSP, this can be an effective protection against Cross-Site-Scripting. In PHP it would look like this: header("X-Content-Security-Policy: allow 'self'");.
Regenerate the session id on the login page, to make session fixation more difficult.
Use HTTPS for the whole site, this avoids lots of problems. If you need to switch between HTTPS and HTTP, then use a separate cookie for authentication, have a look at this example.
Should your site be HTTPS only, then you can add the HTTP Strict Transport Security header. The HSTS can prevent users (that already visited your site once), from calling unsecure HTTP pages. This can help against SSL-strip.
Don't store password at all, but use SRP
http://en.wikipedia.org/wiki/Secure_Remote_Password_protocol