Search code examples
javascriptrestgwtcsrfgwtp

Best Practive for XSRF/CSRF Secured REST Calls?

I want to secure my REST calls against XSRF attacks. What I am doing is the following:

  1. The server sends a logged cookie to the browser after the user has loggedIn successfully.
  2. On each request (GET, POST, DELETE) I send the loggedIn cookie to the server as well as an XSRF token (XSRF token is sent as header parameter) which is generated by hashing the JSESSIONID cookie with MD5 like it is proposed here. (JSESSIONID is not sent to the server)
  3. The server verifies the XSRF token my hashing the JSESSIONID cookie with MD5 and compares the result with the XSRF token from the request.
  4. If both values are equal the server processes the request.

Edit: I did not use the standard approach because I use GWTP REST instead of GWT-RPC. Question:

Is this a good approach? Does it matter if I send the LoggedIn Cookie to the server? Does it increase the vulnerability?

Solution

  • Q. Is this a good approach?

    The dev guide states:

    This stateless XSRF protection implementation relies on the fact that attacker doesn't have access to the session cookie and thus is unable to generate valid XSRF token.

    The XSRF token is a simple hash of the JSESSIONID cookie and MD5 is not recommended for password storage any longer (old version of page, current version is here):

    As such general hashing algorithms (eg, MD5, SHA-1/256/512) are not recommended for password storage.

    However, as an attacker has no method of retrieving the JSESSIONID value, this method is simply another way of executing the OWASP recommended double submit cookies XSRF prevention method and is secure. To answer this question it seems like a good approach to me.

    Q. Does it matter if I send the LoggedIn Cookie to the server?

    Yes you should send the authentication cookie too so that your API can authorise the user in the normal way too.

    Q. Does it increase the vulnerability?

    There is no extra risk in sending the cookie with the request as well. It would be a good idea to protect your REST service with HTTPS so all data is encrypted whilst in transit.