'CookieCsrfTokenRepository allows the client to create its own Csrf Tokens

CookieCsrfTokenRepository sets a cookie and on subsequent requests it just just compares the cookie value from the client with the cookie value from the header.

It does not remember if it is still the value it set on first time. It just compares them.

But the angular docs (https://angular.io/guide/http#security-xsrf-protection) say "The token must be unique for each user and must be verifiable by the server; this prevents the client from making up its own tokens. Set the token to a digest of your site's authentication cookie with a salt for added security."

So is CookieCsrfTokenRepository insecure?

spring-securitycsrf


Solution 1:[1]

The CookieCsrfTokenRepository is similar to the "double-submit cookie" pattern described by the OWASP CSRF Prevention Cheatsheet. While similar, it isn't strictly the double-submit pattern, as the associated CsrfFilter does't require that the token be "double-submitted". The filter will happily accept the CSRF token transimtted via the cookie whtn validating a request, as opposed to requiring that the token be double-submitted as a request parameter and then comparing the parameter to the cookie. As such, I assume the technique relies on the CSRF token cookie setting the SameSite=Strict attribute to prevent CSRF.

To answer your question, the CookieCsrfTokenRepository is vulnerable to "cookie-fixation", if an attacker is able to set the CSRF cookie value. An attacker might achieve this by (ref):

  • Exploiting a sub-domain.
  • Man-in-the-middle attack on the HTTP connection.

The risk/feasibilty of the above depends on your application configuration.

The cookie-based CSRF mitigation approach can be hardened in various ways:

  • HTTP Strict Transport Security (HSTS) - to prevent man-in-the-middle attacks.
  • Cookie Prefixes (“__Host-” is the one you want) - to prevent sub-domains from setting the CSRF token cookie.
  • Sign the token (with a private-key or secret known only to the server)
  • Bind the token to the user or session (e.g. use an HMAC of the current session id).
  • Use a custom HTTP header, if your application makes use of AJAX requests.

The OWASP CSRF Prevention Cheat Sheet (linked above) provides a nice summary of CSRF prevention approaches and tradeoffs.

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1

Related Questions

How to return 404 for pages that do not exist when using Grails Spring Security Plugin

spring sas 0.2.0 access_token throw 'Access is denied'

AuthenticationSuccessEvent never fired

Spring Security: How to use a UserDetailsService with JwtAuthenticationProvider?

@EventListener for AuthenticationSuccessEvent or InteractiveAuthenticationSuccessEvent not fired

Authorization Header not getting displayed in CURL springdoc-openapi-ui

Getting 404 error in spring boot even though method is logging statements

Consider defining a bean of type 'org.springframework.security.oauth2.client.registration.ReactiveClientRegistrationRepository' in your configuration

Customizing the TokenEndpoint in spring security OAuth2

Swagger UI being blocked by Spring Security

Spring boot security, always redirects to login page, if navigate through address bar

How does SecurityContextHolder.getContext().getAuthentication() work?

automatically redirect to login page after session timeout - JSP, Spring

Spring security - Disable logout redirect

Authentication Principal is empty while using Spring Session Redis