CSRF attack though ALB cookies because of samesite=none

0

I have a web application with tomcat, and I configured the jsessionid cookie for samesite=lax, and it prevents CSRF attacks. When I put the application behind an ALB with OIDC authenticator, I encounter the following issue:

  • ALB cookies explicitly set samesite=none.
  • The CSRF attack is a form POST submit from an external page. It sends the ALB cookies together with the request, but doesn't send my jsessionid cookie (as expected).
  • The ALB lets the request pass into the my application. The application sees this is a new session with an authenticated user and treats it as a legitimate request (typically it is the first request of the user after login and redirect from the IDP). It loads the user details and then proceeds with the request. Thus, the CSRF attack succeeds.

How can I solve this? Is there a way to change the cookies in the ALB to use samesite=lax?

2 Answers
0

Hi Yoni , If the SameSite attribute is set to Lax, then the browser will include the cookie in requests that originate from another site but only if two conditions are met:

The request uses the GET method. Requests with other methods, such as POST, will not include the cookie. The request resulted from a top-level navigation by the user, such as clicking a link. Other requests, such as those initiated by scripts, will not include the cookie.

Most CSRF attacks tend to happen on POST requests. So the LAX mode is only a partial defense. You should use it in conjunction with CSRF tokens. You can use Spring Security (if you are using Java and Spring) or you can use the CSRFGuard from OWASP. Please see the link below for the CSRF Guard

https://owasp.org/www-project-csrfguard/

The OpenID connect protocol does not have any specifications for CSRF .Here are a few resources that might help you (see below) but the general pattern is to use the state parameter. Some reputed OpenId providers do provide protection but the smaller ones do not.

https://developer.amazon.com/docs/login-with-amazon/cross-site-request-forgery.html

https://technospace.medium.com/csrf-in-idp-initiated-openid-connect-7a2873420e86

https://developers.google.com/identity/openid-connect/openid-connect

Gaurav
answered 12 days ago
  • Thank you for this finely crafted answer, but it actually adds nothing to my question in way of a solution. I care about POST requests, not GET, and I know what OIDC is. The question is about the ALB cookies, that effectively allow a request from answer site to pass-through

0

Yoni, you can utilize duration based stickiness and give it a shot. This way your cookie (JSESSIONID) will maintain the lax value. Please , see the following resource

https://docs.aws.amazon.com/elasticloadbalancing/latest/application/sticky-sessions.html

Give it a shot.

Gaurav
answered 11 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions