Skip to content

BREACH attack protection for CSRF tokens #10778

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 2 commits into from
Closed

BREACH attack protection for CSRF tokens #10778

wants to merge 2 commits into from

Conversation

sjohnr
Copy link
Member

@sjohnr sjohnr commented Jan 25, 2022

No description provided.

@sjohnr sjohnr added status: duplicate A duplicate of another issue type: enhancement A general enhancement labels Jan 25, 2022
@sjohnr sjohnr requested a review from rwinch January 25, 2022 18:53
@sjohnr sjohnr self-assigned this Jan 25, 2022
@sjohnr sjohnr mentioned this pull request Jan 25, 2022
Closed
rwinch
rwinch requested changes Jan 27, 2022
View reviewed changes
Copy link
Member

@rwinch rwinch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've reviewed this inline.

@sjohnr sjohnr linked an issue Jan 31, 2022 that may be closed by this pull request
CSRF tokens are vulnerable to a BREACH attack #4001
Closed
@sjohnr sjohnr marked this pull request as draft January 31, 2022 17:57
@sjohnr sjohnr added the in: web An issue in web modules (web, webmvc) label Feb 2, 2022
@sjohnr sjohnr force-pushed the gh-4001 branch 2 times, most recently from 67179e2 to f32661c Compare February 7, 2022 20:20
@rh-id @rwinch
Implement new XorCsrfToken for BREACH attack protection
e239b03 
1. added new XorCsrfToken class
2. introduce new method setGenerateToken for CookieCsrfTokenRepository
and HttpSessionCsrfTokenRepository to customize CsrfToken implementation
3. deprecate `setHeaderName` and `setParameterName`

Closes spring-projectsgh-4001

Co-Authored-By: Rob Winch <[email protected]>
@sjohnr sjohnr marked this pull request as ready for review February 15, 2022 23:10
@sjohnr sjohnr requested a review from rwinch February 16, 2022 17:20
rwinch
rwinch requested changes Feb 24, 2022
View reviewed changes
Copy link
Member

@rwinch rwinch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We have spoken offline and are going to explore some alternatives.

Now that it is implemented, something that doesn't sit well is the fact that the repository is performing logic other than persistence. I'm wondering if we need to put the logic of reading the request and writing the request attributes into another API that can do the secure random. This also has the advantage of not impacting persistence and only changing the token a single time per request.

We will explore if https://github.com/spring-projects/spring-security/blob/6dbd88a5a4857c279aed681529[…]main/java/org/springframework/security/web/csrf/CsrfFilter.java
and
https://github.com/spring-projects/spring-security/blob/6dbd88a5a4857c279aed681529[…]main/java/org/springframework/security/web/csrf/CsrfFilter.java
were placed into a new API.

@sjohnr has agreed to a branches that demonstrate the ideas.

@sjohnr sjohnr added this to the 5.8.x milestone Jun 10, 2022
@sjohnr
Copy link
Member Author

sjohnr commented Aug 11, 2022

@rwinch I have pushed a branch (draft 1) based on our discussion, and looking for general feedback on the approach. This draft uses functional hooks.

The next approach we could try would be to introduce a new interface. I don't have a good idea for what it would be called but let me know if you would like to see that approach next, or if you have another idea for the next branch.

@rwinch rwinch self-assigned this Aug 19, 2022
@rwinch
Copy link
Member

rwinch commented Aug 19, 2022

I think this is a good start. I agree with you that we should create specific interfaces. An interesting observation is that CsrfAuthenticationStrategy can reuse the logic for setting the CSRF on an attribute.

I think that the names you have used could be used as a valid interface names. RequestAttributeHandler and CsrfTokenRequestResolver (we might need to play with this a bit). We should have a single class implement both APIs since they are distinct jobs, but need to be coordinated.

@rwinch rwinch removed their assignment Aug 19, 2022
@sjohnr sjohnr closed this Aug 19, 2022
@sjohnr sjohnr removed this from the 5.8.x milestone Aug 19, 2022
@sjohnr sjohnr deleted the gh-4001 branch August 19, 2022 19:19
@sjohnr
Copy link
Member Author

sjohnr commented Aug 23, 2022

Replaced by gh-11731

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rwinch rwinch rwinch requested changes

Assignees

@sjohnr sjohnr

Labels
in: web An issue in web modules (web, webmvc) status: duplicate A duplicate of another issue type: enhancement A general enhancement
Projects
Spring Security Team
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

CSRF tokens are vulnerable to a BREACH attack
3 participants
@sjohnr @rwinch @rh-id