Rohit Kumar (@rohitcoder)Follow Maintainer of Code Arsenal Community, Product Security Engineer @ Groww. Bug Bounty Hunter & Programmer.

CSRF Prevention: Techniques and Case Studies in Java and Python

Introduction

Cross-Site Request Forgery (CSRF) poses a significant threat to web applications by allowing attackers to trick users into unknowingly executing malicious actions. In this detailed blog post, we will explore various techniques to prevent CSRF attacks in both Java and Python applications. We will provide multiple examples, including scenarios where CSRF protection is implemented correctly and bypassed, followed by the actual fix to ensure robust CSRF prevention.

1. Understanding CSRF and its Impact

Description: CSRF occurs when an attacker tricks a user’s browser into performing an unauthorized action on a trusted web application, using the user’s established session credentials.

Impact: CSRF attacks can lead to serious consequences, such as unauthorized transactions, profile modifications, or data deletion, all of which happen without the user’s knowledge or consent.

2. CSRF Prevention Techniques

There are several effective techniques to prevent CSRF attacks, such as:

a) Synchronizer Token Pattern (Double Submit Cookies) The Synchronizer Token Pattern involves embedding a unique CSRF token within each user session and validating it with each request.

b) SameSite Attribute in Cookies The SameSite attribute restricts cookies to same-site requests only, preventing them from being sent along with cross-site requests.

c) CSRF Tokens in Headers Include CSRF tokens in custom headers, such as X-CSRF-Token, and validate them on the server side.

d) Custom Request Headers Create custom request headers that are required for sensitive operations, and validate them before processing requests.

e) Anti-CSRF Tokens in URLs Include anti-CSRF tokens in URLs for sensitive operations, and validate them before processing the request.

2. Case Studies

Scenario 1: Synchronizer Token Pattern (Java)

Vulnerable Code (Java): Consider the following vulnerable Java code that lacks CSRF protection:

    @Controller
    public class TransferController {

        @PostMapping("/transfer")
        public String transferFunds(@RequestParam("amount") double amount, Principal principal) {
            // Transfer funds logic here
            return "redirect:/dashboard";
        }
    }

In this code, the transferFunds endpoint lacks CSRF protection, allowing attackers to perform unauthorized transfers.

Fix and Mitigation (Java): Implement the Synchronizer Token Pattern by adding a CSRF token to the user’s session and validating it on each request.

    @Controller
    public class TransferController {

        @PostMapping("/transfer")
        public String transferFunds(@RequestParam("amount") double amount, Principal principal, HttpServletRequest request) {
            String csrfToken = request.getSession().getAttribute("csrfToken").toString();
            String requestCsrfToken = request.getHeader("X-CSRF-Token");
            
            if (csrfToken.equals(requestCsrfToken)) {
                // Transfer funds logic here
                return "redirect:/dashboard";
            } else {
                throw new UnauthorizedAccessException();
            }
        }
    }

In the fixed code, we extract the CSRF token from the user’s session and validate it against the token sent in the request header (X-CSRF-Token).

Scenario 2: SameSite Attribute in Cookies (Python)

Vulnerable Code (Python): Consider the following vulnerable Python code that does not set the SameSite attribute for cookies:

    @app.route("/update_profile", methods=["POST"])
    def update_profile():
        user_id = request.form["user_id"]
        # Update user profile logic here
        return redirect("/dashboard")

In this code, the update_profile endpoint does not set the SameSite attribute for cookies, making it susceptible to CSRF attacks.

Fix and Mitigation (Python): Set the SameSite attribute for cookies to “strict” or “lax” to restrict them to same-site requests only.

    @app.route("/update_profile", methods=["POST"])
    def update_profile():
        user_id = request.form["user_id"]
        # Update user profile logic here
        response = redirect("/dashboard")
        response.set_cookie("session_id", value="...", samesite="strict")
        return response

In the fixed code, we set the SameSite attribute for the session cookie to “strict,” ensuring that it is only sent along with same-site requests.

4. Bypassing CSRF Protection

Scenario: CSRF Token Leak

Vulnerable Code (Java): Consider the following vulnerable Java code that inadvertently leaks the CSRF token to an attacker:

    @Controller
    public class AccountController {

        @GetMapping("/get_csrf_token")
        @ResponseBody
        public String getCSRFToken(HttpServletRequest request) {
            return request.getSession().getAttribute("csrfToken").toString();
        }
    }

In this code, the getCSRFToken endpoint returns the CSRF token, making it easily accessible to attackers.

Bypass (Java): An attacker can use a simple script to retrieve the CSRF token from the leaked endpoint and include it in their CSRF attack.

Actual Fix (Java): To prevent token leakage, ensure that the getCSRFToken endpoint is protected and only accessible to authenticated users with specific roles.

5. SSDLC Approaches for CSRF Prevention

a) Early Threat Modeling: Conduct early threat modeling sessions to identify CSRF risks in the application’s design phase and implement relevant CSRF prevention techniques.

b) Security Code Reviews: Regularly review code to identify and address any potential CSRF vulnerabilities and ensure the proper implementation of CSRF protection techniques.

c) Penetration Testing: Perform thorough penetration testing to validate the effectiveness of implemented CSRF protection mechanisms and identify any bypasses.

d) Security Headers: Set appropriate security headers, such as the Strict-Transport-Security and Content-Security-Policy, to bolster overall application security.

Conclusion

In this comprehensive blog post, we explored various CSRF prevention techniques and case studies in Java and Python applications. We saw how to implement CSRF protection correctly and identified potential bypass scenarios. By prioritizing secure coding practices and leveraging appropriate CSRF prevention techniques, we can safeguard our web applications from CSRF attacks, ensuring a robust and secure user experience.

Remember, proactive measures like early threat modeling, security code reviews, and regular penetration testing play a pivotal role in building applications that stand resilient against CSRF threats. Stay vigilant and keep your web applications safe from CSRF vulnerabilities!

30 Jul 2023

CSRF

« Detecting & Fixing Insecure Direct Object References (IDOR) in Java Applications Exploring Vulnerability Classes in Single Sign-On (SSO) Implementation »