csrf is dead - stephenreescarter.net€¦ · browser rejects csrf cookie when visiting mysite.com...
TRANSCRIPT
![Page 1: CSRF is dead - stephenreescarter.net€¦ · Browser rejects CSRF cookie when visiting mysite.com CSRF Cookie defaults to SameSite=Lax and is rejected by the browser due to the cross-site](https://reader033.vdocuments.us/reader033/viewer/2022053022/605114206323ce3560508e5e/html5/thumbnails/1.jpg)
CSRF is dead(Or is it?)
Stephen Rees-Cartertwitter.com/valorinSenior Developer
at Defiant / WordfenceLaracon EU 2020
![Page 2: CSRF is dead - stephenreescarter.net€¦ · Browser rejects CSRF cookie when visiting mysite.com CSRF Cookie defaults to SameSite=Lax and is rejected by the browser due to the cross-site](https://reader033.vdocuments.us/reader033/viewer/2022053022/605114206323ce3560508e5e/html5/thumbnails/2.jpg)
CSRFCross Site Request Forgery
Step #1 POST https://mysite.com/account
password=correct+horse+battery+staple
User updates their own password:
mysite.com
![Page 3: CSRF is dead - stephenreescarter.net€¦ · Browser rejects CSRF cookie when visiting mysite.com CSRF Cookie defaults to SameSite=Lax and is rejected by the browser due to the cross-site](https://reader033.vdocuments.us/reader033/viewer/2022053022/605114206323ce3560508e5e/html5/thumbnails/3.jpg)
CSRFCross Site Request Forgery
Evil Hacker updates user’s password:Step #3 (via Javascript sent to the user’s browser)POST https://mysite.com/accountpassword=evil+hacker+passwd
Step #1(Trick the user into visiting)https://anothersite.com
Step #2GET https://anothersite.com
mysite.com
![Page 4: CSRF is dead - stephenreescarter.net€¦ · Browser rejects CSRF cookie when visiting mysite.com CSRF Cookie defaults to SameSite=Lax and is rejected by the browser due to the cross-site](https://reader033.vdocuments.us/reader033/viewer/2022053022/605114206323ce3560508e5e/html5/thumbnails/4.jpg)
CSRFDefending Against Attack
1. CSRF tokens or Noncesa. Required in all requestsb. Known-secret based protection
2. Verify Origin or Referer headera. Cannot be modified by client
3. Client-side cryptographic magica. Some apps work in specific ways
+ SameSite Cookies!
![Page 5: CSRF is dead - stephenreescarter.net€¦ · Browser rejects CSRF cookie when visiting mysite.com CSRF Cookie defaults to SameSite=Lax and is rejected by the browser due to the cross-site](https://reader033.vdocuments.us/reader033/viewer/2022053022/605114206323ce3560508e5e/html5/thumbnails/5.jpg)
SameSite cookie attribute
Set-Cookie: app_session=eyJpdiI6ImNQWTBCU3VERW...;
Set-Cookie: app_session=eyJpdiI6ImNQWTBCU3VERW...; SameSite=Strict
Set-Cookie: app_session=eyJpdiI6ImNQWTBCU3VERW...; SameSite=None; Secure
Set-Cookie: app_session=eyJpdiI6ImNQWTBCU3VERW...; SameSite=Lax
![Page 6: CSRF is dead - stephenreescarter.net€¦ · Browser rejects CSRF cookie when visiting mysite.com CSRF Cookie defaults to SameSite=Lax and is rejected by the browser due to the cross-site](https://reader033.vdocuments.us/reader033/viewer/2022053022/605114206323ce3560508e5e/html5/thumbnails/6.jpg)
![Page 7: CSRF is dead - stephenreescarter.net€¦ · Browser rejects CSRF cookie when visiting mysite.com CSRF Cookie defaults to SameSite=Lax and is rejected by the browser due to the cross-site](https://reader033.vdocuments.us/reader033/viewer/2022053022/605114206323ce3560508e5e/html5/thumbnails/7.jpg)
SameSite=StrictCross-Site/Third-Party Requests
Embedded Content<iframe> <img>
❌
Unsafe RequestsPOST/PUT/DELETE/…
❌
Safe RequestsGET/HEAD
❌
Blocks all CSRF attacks (when cookies are required)
![Page 8: CSRF is dead - stephenreescarter.net€¦ · Browser rejects CSRF cookie when visiting mysite.com CSRF Cookie defaults to SameSite=Lax and is rejected by the browser due to the cross-site](https://reader033.vdocuments.us/reader033/viewer/2022053022/605114206323ce3560508e5e/html5/thumbnails/8.jpg)
SameSite=None; SecureCross-Site/Third-Party Requests
Embedded Content<iframe> <img>
✔
Unsafe RequestsPOST/PUT/DELETE/…
✔
Safe RequestsGET/HEAD
✔
(HTTPS Only)
Blocks no CSRF attacks
![Page 9: CSRF is dead - stephenreescarter.net€¦ · Browser rejects CSRF cookie when visiting mysite.com CSRF Cookie defaults to SameSite=Lax and is rejected by the browser due to the cross-site](https://reader033.vdocuments.us/reader033/viewer/2022053022/605114206323ce3560508e5e/html5/thumbnails/9.jpg)
SameSite=None
Will not be sent on any request, HTTPS or HTTP.
❌
(Without “Secure”)
![Page 10: CSRF is dead - stephenreescarter.net€¦ · Browser rejects CSRF cookie when visiting mysite.com CSRF Cookie defaults to SameSite=Lax and is rejected by the browser due to the cross-site](https://reader033.vdocuments.us/reader033/viewer/2022053022/605114206323ce3560508e5e/html5/thumbnails/10.jpg)
SameSite=LaxCross-Site/Third-Party Requests
Embedded Content<iframe> <img>
❌
Unsafe RequestsPOST/PUT/DELETE/…
❌
Safe RequestsGET/HEAD
✔
Blocks CSRF attacks on “unsafe” requests.
![Page 11: CSRF is dead - stephenreescarter.net€¦ · Browser rejects CSRF cookie when visiting mysite.com CSRF Cookie defaults to SameSite=Lax and is rejected by the browser due to the cross-site](https://reader033.vdocuments.us/reader033/viewer/2022053022/605114206323ce3560508e5e/html5/thumbnails/11.jpg)
Story Time...
![Page 12: CSRF is dead - stephenreescarter.net€¦ · Browser rejects CSRF cookie when visiting mysite.com CSRF Cookie defaults to SameSite=Lax and is rejected by the browser due to the cross-site](https://reader033.vdocuments.us/reader033/viewer/2022053022/605114206323ce3560508e5e/html5/thumbnails/12.jpg)
![Page 13: CSRF is dead - stephenreescarter.net€¦ · Browser rejects CSRF cookie when visiting mysite.com CSRF Cookie defaults to SameSite=Lax and is rejected by the browser due to the cross-site](https://reader033.vdocuments.us/reader033/viewer/2022053022/605114206323ce3560508e5e/html5/thumbnails/13.jpg)
https://blog.chromium.org/2019/05/improving-privacy-and-security-on-web.html
![Page 14: CSRF is dead - stephenreescarter.net€¦ · Browser rejects CSRF cookie when visiting mysite.com CSRF Cookie defaults to SameSite=Lax and is rejected by the browser due to the cross-site](https://reader033.vdocuments.us/reader033/viewer/2022053022/605114206323ce3560508e5e/html5/thumbnails/14.jpg)
https://blog.chromium.org/2019/10/developers-get-ready-for-new.html
![Page 15: CSRF is dead - stephenreescarter.net€¦ · Browser rejects CSRF cookie when visiting mysite.com CSRF Cookie defaults to SameSite=Lax and is rejected by the browser due to the cross-site](https://reader033.vdocuments.us/reader033/viewer/2022053022/605114206323ce3560508e5e/html5/thumbnails/15.jpg)
![Page 16: CSRF is dead - stephenreescarter.net€¦ · Browser rejects CSRF cookie when visiting mysite.com CSRF Cookie defaults to SameSite=Lax and is rejected by the browser due to the cross-site](https://reader033.vdocuments.us/reader033/viewer/2022053022/605114206323ce3560508e5e/html5/thumbnails/16.jpg)
https://blog.chromium.org/2020/02/samesite-cookie-changes-in-february.html
![Page 17: CSRF is dead - stephenreescarter.net€¦ · Browser rejects CSRF cookie when visiting mysite.com CSRF Cookie defaults to SameSite=Lax and is rejected by the browser due to the cross-site](https://reader033.vdocuments.us/reader033/viewer/2022053022/605114206323ce3560508e5e/html5/thumbnails/17.jpg)
https://blog.chromium.org/2020/04/temporarily-rolling-back-samesite.html
![Page 18: CSRF is dead - stephenreescarter.net€¦ · Browser rejects CSRF cookie when visiting mysite.com CSRF Cookie defaults to SameSite=Lax and is rejected by the browser due to the cross-site](https://reader033.vdocuments.us/reader033/viewer/2022053022/605114206323ce3560508e5e/html5/thumbnails/18.jpg)
Wait a sec… this will break my Auth flow! 😡
Browser mysite.com
auth.com
User clicks “login” on mysite.com
Set CSRF Token and redirect User to auth.com
User authenticates at auth.com using single-sign-on
Authenticated User redirected via POST to mysite.com with completed authentication tokens
Browser rejects CSRF cookie when visiting mysite.comCSRF Cookie defaults to SameSite=Lax
and is rejected by the browser due to the cross-site POST request from auth.com.
Note, the SameSite attribute is not set on the CSRF token cookie.
(Example based from the widely used OpenID Connect authentication flow used by Azure Active Directory and Microsoft Account authentication.)
This should take less than 2 minutes.
Let’s default to SameSite=Lax+POST and allow it (temporarily).
![Page 19: CSRF is dead - stephenreescarter.net€¦ · Browser rejects CSRF cookie when visiting mysite.com CSRF Cookie defaults to SameSite=Lax and is rejected by the browser due to the cross-site](https://reader033.vdocuments.us/reader033/viewer/2022053022/605114206323ce3560508e5e/html5/thumbnails/19.jpg)
mysite.com
static.mysite.com
account.mysite.com
“Same-Site” domains
![Page 20: CSRF is dead - stephenreescarter.net€¦ · Browser rejects CSRF cookie when visiting mysite.com CSRF Cookie defaults to SameSite=Lax and is rejected by the browser due to the cross-site](https://reader033.vdocuments.us/reader033/viewer/2022053022/605114206323ce3560508e5e/html5/thumbnails/20.jpg)
github.io
valorin.github.io
laravel.github.io
“Cross-Site” domains
Subdomains of domains on the Public Suffix List (https://publicsuffix.org/) are considered “cross-site”.
![Page 21: CSRF is dead - stephenreescarter.net€¦ · Browser rejects CSRF cookie when visiting mysite.com CSRF Cookie defaults to SameSite=Lax and is rejected by the browser due to the cross-site](https://reader033.vdocuments.us/reader033/viewer/2022053022/605114206323ce3560508e5e/html5/thumbnails/21.jpg)
Demo time...
![Page 22: CSRF is dead - stephenreescarter.net€¦ · Browser rejects CSRF cookie when visiting mysite.com CSRF Cookie defaults to SameSite=Lax and is rejected by the browser due to the cross-site](https://reader033.vdocuments.us/reader033/viewer/2022053022/605114206323ce3560508e5e/html5/thumbnails/22.jpg)
Same-SiteRequests
Cross-SiteRequests
![Page 23: CSRF is dead - stephenreescarter.net€¦ · Browser rejects CSRF cookie when visiting mysite.com CSRF Cookie defaults to SameSite=Lax and is rejected by the browser due to the cross-site](https://reader033.vdocuments.us/reader033/viewer/2022053022/605114206323ce3560508e5e/html5/thumbnails/23.jpg)
SameSite=Lax+POST(Allowed <2 mins) SameSite=Lax+POST
(Blocked >2 mins)
![Page 24: CSRF is dead - stephenreescarter.net€¦ · Browser rejects CSRF cookie when visiting mysite.com CSRF Cookie defaults to SameSite=Lax and is rejected by the browser due to the cross-site](https://reader033.vdocuments.us/reader033/viewer/2022053022/605114206323ce3560508e5e/html5/thumbnails/24.jpg)
Laravel & SameSite
What you need to know.
Laravel defaulted to SameSite=Lax in 7.0.0.Older versions specified null (not set).
config/session.php
![Page 25: CSRF is dead - stephenreescarter.net€¦ · Browser rejects CSRF cookie when visiting mysite.com CSRF Cookie defaults to SameSite=Lax and is rejected by the browser due to the cross-site](https://reader033.vdocuments.us/reader033/viewer/2022053022/605114206323ce3560508e5e/html5/thumbnails/25.jpg)
use Illuminate\Support\Facades\Cookie;
Cookie::queue(
$name,
$value,
$minutes = 0,
$path = null,
$domain = null,
$secure = null,
$httpOnly = true,
$raw = false,
$sameSite = null
);
![Page 26: CSRF is dead - stephenreescarter.net€¦ · Browser rejects CSRF cookie when visiting mysite.com CSRF Cookie defaults to SameSite=Lax and is rejected by the browser due to the cross-site](https://reader033.vdocuments.us/reader033/viewer/2022053022/605114206323ce3560508e5e/html5/thumbnails/26.jpg)
What Option Do I Use?
● Use SameSite=Strict if…○ User shouldn’t be automatically logged in○ Actions must be performed over GET requests
● Use SameSite=None if…○ POST requests or embedded content (<iframe>/<img>) needed between third-party domains
● Use <nothing> if…○ You like unexpected behaviour to confuse your users
● Otherwise, just use SameSite=Lax.
![Page 27: CSRF is dead - stephenreescarter.net€¦ · Browser rejects CSRF cookie when visiting mysite.com CSRF Cookie defaults to SameSite=Lax and is rejected by the browser due to the cross-site](https://reader033.vdocuments.us/reader033/viewer/2022053022/605114206323ce3560508e5e/html5/thumbnails/27.jpg)
Is CSRF dead?
![Page 28: CSRF is dead - stephenreescarter.net€¦ · Browser rejects CSRF cookie when visiting mysite.com CSRF Cookie defaults to SameSite=Lax and is rejected by the browser due to the cross-site](https://reader033.vdocuments.us/reader033/viewer/2022053022/605114206323ce3560508e5e/html5/thumbnails/28.jpg)
![Page 29: CSRF is dead - stephenreescarter.net€¦ · Browser rejects CSRF cookie when visiting mysite.com CSRF Cookie defaults to SameSite=Lax and is rejected by the browser due to the cross-site](https://reader033.vdocuments.us/reader033/viewer/2022053022/605114206323ce3560508e5e/html5/thumbnails/29.jpg)
Is CSRF dead?No :-(