CSRF attacks involve leveraging user’s authenticated state in order to invoke malicious attacks, with the general purpose of manipulating data. There are two established approaches designed to prevent such attacks:
- Synchronizer Token Pattern
- Double-Submit Cookie Pattern
For more information on these, please visit the following resource:
Both approaches succeed in preventing CSRF attacks, while introducing architectural and security consequences. Below is a brief synopsis.
Synchronizer Token Pattern
This pattern is recommended by owasp.org as the method of choice in preventing CSRF attacks, and is leveraged by CSRFGuard. While successfully preventing CSRF attacks, it introduces an architectural concern, in that the framework requires session state on web servers. This incurs two issues:
- Session-state costs memory
- Sessions result in an imbalance in terms of load distribution across web servers
While sessions generally cost a nominal amount of memory, significant user-load can exponentially increase that memory footprint. In general, it is best-practice to avoid sessions. More importantly, if a user has an active session on a specific web server, load-balancers will generally route that user’s subsequent requests to that specific server instead of distributing requests evenly. This results in over-utilization of that server and potential underutilization of adjacent servers. This feature can be disabled on load-balancers (generally), however doing so will result in associated sessions created on more than one web server for a specific user. This will cause synchronization issues, and require implementation of a session management tool to avoid loss of cached data across web servers.
Double-Submit Cookie Pattern
This pattern is a more lightweight implementation of CSRF-protection. While relatively new and generally considered somewhat untested (it’s just as effective as the Synchronizer Token Pattern in my opinion; the arguments against it are weak at best), it achieves protection while avoiding the use of state. The implementation of this pattern, like the Synchronizer Token Pattern, produces design and security consequences:
- Cookies cannot be tagged as HTTPONLY
- Potential XXS vulnerabilities in subdomains can introduce poisoned cookies in upper domains
Cookies that contain sensitive server metadata, such as session cookies, should be tagged as HTTPONLY. This prevents client-side scripts from reading values from the cookie, adding a layer of protection. Given that this pattern requires client-side scripts to read the token from the cookie and apply it to the HTTP header, we cannot tag the cookie as HTTPONLY, introducing a potential security concern.
Leveraging this pattern requires that all software in our suite of applications are fully XXS-resistant. If an application in a subdomain, below our application domain, is compromised within the context of an XXS attack, an attacker could potentially introduce a poisoned cookie to that site, which would be valid in our upper domain, and allow an attacker to circumnavigate our CSRF protection framework.
Both methods of protection introduce design and potential security consequences. As a result, I’ve created a new pattern, the Encrypted Token Pattern, to address these concerns.
Encrypted Token Pattern
This pattern addresses the shortfalls of both the Synchronizer Token Pattern and the Double-Submit Cookie Pattern as follows:
- It does not require server-state
- It does not require cookies
- It does not require two tokens
- It does not require any effort on the client-side other than including the token in HTTP requests
- It does not require any other application in a subdomain to be XXS-proof
The Encrypted Token Pattern is described here.
The Encrypted Token Pattern solves the shortfalls of other CSRF protection patterns and allows us greater control over CSRF-defense, without introducing new security concerns or architectural problems.Follow @daishisystems