[Openid-specs-ab] Issue #1752: Core - 15.5.3 CSRF Attack on Fragment Response Example (openid/connect)
adam strickland
issues-reply at bitbucket.org
Sun Dec 11 16:44:36 UTC 2022
New issue 1752: Core - 15.5.3 CSRF Attack on Fragment Response Example
https://bitbucket.org/openid/connect/issues/1752/core-1553-csrf-attack-on-fragment-response
adam strickland:
This section outlines how a JavaScript Client could proxy the authorization response down to a Web Server Client for validation, but the example `/catch_response` endpoint it shows is vulnerable to a CSRF attack.
The format of the request sent to this endpoint is a [simple request](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests), and will not trigger a CORS preflight. Any malicious website could POST to it in a CSRF attack \(baring other validation done on the server\).
Given that the `state` parameter is used for CSRF protection, we should edit the example to be in a format that would be CSRF protected by default. Specifically, the state parameter should be moved to a customer request header, like in this [example](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#xmlhttprequest-native-javascript).
It would be best to add guidance on the following 2 points as well:
1. The client should establish a session before sending the authorization request \(maybe a /`start_login` endpoint\) and validate that session at the `catch_repsonse`
2. Both endpoints should be CORS protected, so that malicious sites cannot establish sessions or read their responses
More information about the Openid-specs-ab
mailing list