Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

defaultCsrfMiddleware not working with Yesod.Auth.Hardcoded #1159

Closed
CarstenKoenig opened this issue Feb 11, 2016 · 0 comments
Closed

defaultCsrfMiddleware not working with Yesod.Auth.Hardcoded #1159

CarstenKoenig opened this issue Feb 11, 2016 · 0 comments
Assignees
@MaxGabriel

Comments

@CarstenKoenig
Copy link

this might be realted with this issue

Although the cookie is set (and set) the handler will reject the hardcoded login (POST at ./auth/page/hardcoded/login):

A valid CSRF token wasn't present in HTTP headers or POST parameters. Check the Yesod.Core.Handler docs of the yesod-core package for details on CSRF protection.
MaxGabriel added a commit to MaxGabriel/yesod that referenced this issue Feb 15, 2016
@MaxGabriel
Have the yesod-auth login form use a CSRF token
64093e9 
Closes yesodweb#1159

Based on reading this [StackOverflow Post](http://stackoverflow.com/questions/6412813/do-login-forms-need-tokens-against-csrf-attacks), using CSRF protection on login forms makes sense for typical username/password signup flows. I don't think the vulnerability discussed there applies to the hardcoded login, because the attacker couldn't create an account of their own.

However:

* If I understand the example in Yesod.Auth.Harcoded, one use case is to share have one login form that works for both the Hardcoded plugin as well as normal database-backed username/password login, in which case having a CSRF token makes sense
* I don't see a downside to having the CSRF token there
* It makes the Hardcoded plugin work with the CSRF middleware

Does this sound like the right solution?
MaxGabriel added a commit to MaxGabriel/yesod that referenced this issue Feb 15, 2016
@MaxGabriel
Have the yesod-auth login form use a CSRF token
21356c4 
Closes yesodweb#1159

Based on reading this [StackOverflow Post](http://stackoverflow.com/questions/6412813/do-login-forms-need-tokens-against-csrf-attacks) and skimming [this paper](http://seclab.stanford.edu/websec/csrf/csrf.pdf), using CSRF protection on login forms protects against a vulnerability where an attacker submits their own username/password in the login form. Later, the user uses the real site, but doesn't realize they're logged into the attacker. This creates vulnerabilities like:

1. If the site logs the user's activity for them (e.g. recently watched videos on YouTube, previous searches on Google), the attacker can see this information by logging in.
2. The user adds sensitive information to the account, like credit card information, the attacker can login and potentially steal that information or use it on the site.

I don't think this vulnerability applies to the hardcoded login plugin because the attacker couldn't create an account of their own.

However:

* If I understand the example in `Yesod.Auth.Hardcoded`, one use case is to share have one login form that works for both the Hardcoded plugin as well as normal database-backed username/password login, in which case having a CSRF token makes sense
* I don't see a downside to having the CSRF token there
* It makes the Hardcoded plugin work with the CSRF middleware

Does this sound like the right solution?
MaxGabriel added a commit to MaxGabriel/yesod that referenced this issue Feb 15, 2016
@MaxGabriel
Have the yesod-auth login form use a CSRF token
a01051e 
Closes yesodweb#1159

Based on reading this [StackOverflow Post](http://stackoverflow.com/questions/6412813/do-login-forms-need-tokens-against-csrf-attacks) and skimming [this paper](http://seclab.stanford.edu/websec/csrf/csrf.pdf), using CSRF protection on login forms protects against a vulnerability where an attacker submits their own username/password in the login form. Later, the user uses the real site, but doesn't realize they're logged in as the attacker. This creates vulnerabilities like:

1. If the site logs the user's activity for them (e.g. recently watched videos on YouTube, previous searches on Google), the attacker can see this information by logging in.
2. The user adds sensitive information to the account, like credit card information, the attacker can login and potentially steal that information or use it on the site.

I don't think this vulnerability applies to the `Yesod.Auth.Hardcoded` plugin because the attacker couldn't create an account of their own.

However:

* If I understand the example in `Yesod.Auth.Hardcoded`, one use case is to share one login form that works for both the Hardcoded plugin as well as normal database-backed username/password login, in which case having a CSRF token makes sense
* I don't see a downside to having the CSRF token there
* It makes the Hardcoded plugin work with the CSRF middleware

Does this sound like the right solution?
@MaxGabriel MaxGabriel mentioned this issue Feb 15, 2016
Merged
@league league mentioned this issue Apr 3, 2016
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@MaxGabriel MaxGabriel

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@snoyberg @MaxGabriel @CarstenKoenig