Wednesday, June 30, 2021

Re: In django you can either obtain a `csrftoken` from a cookie or the form can generate a nonce `csrftoken`. How does django validate both?

What if I can copy that cookie (samesite)  in developer tools from legitimate-site.com and create a new cookie for malicious-site.com using developer tools. After I do that I make a request. Will it be successful?
I think it would probably work. (This is not a security issue, though, since the user agrees. The problem is when malicious-site.com tries to do something to legitimate-site.com using the user's credentials without the user knowing.)

Antonis Christofides  +30-6979924665 (mobile)


On 01/07/2021 01.48, Patrice Chaula wrote:
What if I can copy that cookie (samesite)  in developer tools from legitimate-site.com and create a new cookie for malicious-site.com using developer tools. After I do that I make a request. Will it be successful?

On Wed, Jun 30, 2021, 3:43 PM Antonis Christofides <antonis@antonischristofides.com> wrote:

Django does not store csrftoken on the server.

Django provides the csrftoken in two places: 1) The cookie; 2) A hidden form field.

When the browser makes a POST request, then:

  1. It sends back the cookie anyway (that's what cookies do)
  2. It submits the csrftoken as a form field (or as the X-CSRFToken HTTP header in case of AJAX).

All Django does after that is verify that the token it receives with (2) is the same as the token it receives with (1).

Why this helps? Because the attack it is designed to mitigate is one where you visit malicious-site.com which contains the following:

<form method="post" target="https://legitimate-site.com">
    <input type="hidden" name="somename" value="somevalue">
    <!-- More hidden fields that, if submitted successfully to legitimate-site.com, will cause data loss or other problem -->
    <input type="submit" value="A message that pretends that when you click here something else is going to happen">
</form>

For this attack to succeed, malicious-site.com would need to specify a csrftoken as, say, a hidden form field (which is possible) AND provide the same token through a cookie. This is not possible. malicious-site.com can't set cookies of another site. The post request may indeed send a csrftoken as a cookie to legitimate-site.com, but this will be the csrftoken received the previous time the user visited legitimate-site.com. It will not be the same as the csrftoken sent as a hidden field, because malicious-site.com can't read cookies of another site, so it can't possibly read that cookie and set the hidden field to its value.

Antonis Christofides  +30-6979924665 (mobile)



On 30/06/2021 15.14, Patrice Chaula wrote:
In django you can either obtain a `csrftoken` from a cookie. Or the form can generate a nonce `csrftoken`. How does django validate both and where are they stored on the server. Are they stored as part of the session?
--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/83f3da74-ecbc-4197-9627-0c9ab9e8492fn%40googlegroups.com.
--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/7732c858-fd8c-53de-9a0f-99ae704ae4c6%40antonischristofides.com.
--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/CAE%3DG6DY1gG71vdqEUiax%3DQqfuqukC%3Dyi-qo9zKnwyra4i3ujDw%40mail.gmail.com.

No comments:

Post a Comment