Cookie security

r00t

Hello guys,

I just installed flarum on a dev server and noticed that the CSRF token used in the PATCH requests to the API is the value of the cookie 'flarum_remember'.

From a security perspective, I think we should use a different random value. This will allow us to set the http_only flag on the cookie. With that, even if a XSS is found, an attacker will not be able to impersonate a user account directly.

Toby

Actually, we don't use any cookies for CSRF protection on API requests – just the Authorization header. Check out api.php to see the middleware that requests are run through, LoginWithHeader being the relevant one.

Correct me if I'm wrong, but I believe the requirement of the Authorization header is sufficient to protect against XSS? Proper REST APIs are stateless and shouldn't involve cookies anyway.

r00t

Ok. I saw the authorization header had the same value as the cookie.

Security good practices says your session cookie should be http_only and https_only if possible. (this is to avoid account tampering if xss or mitm is exploited).

I think we should set the cookie at least http_only and have a different value for the authorization header as this value will be accessible from js.

Toby

OK, good idea. What about setting the cookie to the authorization token encrypted using a unique server-side key?

r00t

I think we could hash the cookie value to obtain the authorization header.

Why ?
Because the cookie will be http_only so the value will be difficult to obtain for the attacker. If an xss vuln is found, the attacker will get the authorization header value and will not be able to obtain the cookie value.

The derivation should be done fom the "un-obtainable" value (the cookie) and be used for the authorization header.). What do you think about this approach ?

Toby

The thing is, we need to approach this from an API-first perspective. If you look at the API docs, you can generate a token and then send it in the Authorization header to authorize API requests. We can't change or involve cookies in that process.

The cookie is another layer on top of that which simply authenticates the user when they visit the forum, so that the JavaScript client has a copy of the token to use when making API requests.

I'm wondering how one would retrieve the value of the Authorization header via XSS anyway?

Sorry if I'm misunderstanding anything – my knowledge of this stuff isn't the clearest.

r00t

Sorry, i think my first post was not clear enough.

The api is relying on the authorization header and the website on the cookie, i got the point.

What I wanted to say is that the cookie should be http_only and, because the authorization header is accessible from js, the value should be different as this value allow an attacker to impersonate a user.(by spoofing the cookie)

An attacker could send to a command and control server the value of "document.cookie" if an xss is found. He/she will be able to impersonate a user.

If the cookie is http_only, the value of "document.cookie" will not contain the session cookie value.

Because the authorization cookie must be available from js to query the api, the value should be different to avoid the attacker from retrieving the value and faking the session cookie.

Do you get the point ? Sorry if it's not clear enough. Im not english native.

Toby

It's OK, I really appreciate your help!

I understand that the cookie should be http_only – that's smart.

The thing I don't understand is: If an attacker retrieves the token (value of the authorization header) via XSS, aren't all bets off anyway? The attacker can use that token to perform any action on the API as that user. After that, they don't really have anything to gain by faking the session cookie.

r00t

In the actual state your are totally right.

We should check the cookie value when the login happened via the website and rely on it even for calls to the api.

I say this because the attack vector is client based, no "sensible" information should be leaked to js.

Maybe a solution could be to rely on cookie value when a browser user agent is present at login. Like this if a user login from the website, cookie value will be used (and protected from xss with httponly) on api requests.

When someone uqes exclusively the api and is not exposed to xss, authorization header is used.

Is that a good solution from your point of view ?

Toby

Yeah I suppose that makes sense. We could just check for the presence of either a cookie or an Authorization header for API requests and use whatever is provided. Any thoughts @Franz?

Relevant issue: #250

Franz

Toby Yeah I suppose that makes sense. We could just check for the presence of either a cookie or an Authorization header for API requests and use whatever is provided.

Yep. I've recently done the same thing in an Ember app; there's just no need for the additional complexity in this case.

Actually, hold on; didn't you plan to make it possible to host the API on a different server (thus, domain)? In that case, we won't have the cookies being sent with API requests...

r00t

Toby : We should not rely only on cookies but check the two values if login happens on the website. This is to prevent csrf as the client browser will attach the cookie automatically even if the request is issued from another webpage (attacker controlled).

Toby

r00t Ah yes, of course. That was the benefit of the Authorization header – no CSRF token was required. But yeah, we'll have to make the check for a cookie + CSRF token, OR an Authorization header.