Page History
...
http://smerity.com/articles/2013/where_did_all_the_http_referrers_go.html
New review by Topher 2018-04-09
There are continuing client requests for improved CSRF security:
Jira | ||||||
---|---|---|---|---|---|---|
|
Recommendation
I think that we should implement synchronizer-token authentication on Magnolia admincentral, in addition to the existing referer checks, in order to be in compliance with the recommendations by OWASP (See Owasp recommendations.) , and to match the established best-practice in the enterprise CMS space.
Research of the Referer check
I have researched Referer based security again.
The one problem that appears legit to me is that of a "replay attack" - a request that was intended to only be made once could be triggered multiple times, which could result in unexpected, unwanted changes to content. Our current protection would not stop that.
There are four common objections to relying on referer-check alone - but I don't find the reasons convincing.
- Incorrect referer check: "There are also common implementation mistakes with referer checks." I think that we have satisfactorally avoided the mistakes.
- No referer header set: Request may not have a referer header set. We simply do not allow them access, which is acceptable for our use-case.
- Browser support: Previously, not all browsers protected the referer header properly. Now they do. Its possible that someone has installed a browser extension/plugin that does something strange, but I dont think we need to cover that case. (We could add this to our browser support page)
- Doesnt always work: There are many quotes like this "Referer checking can detect some attacks but not stop all attacks", but after much searching I find no reference to anything besides the above items - in other words things that are not a problem for us. I have seen no indication that a referer can be spoofed in a CSRF context.
Competitor research
Most of our competitors rely on the synchrnonizer-token approach.
The following CMS that I checked all support Token based authentication:
(As far as I can tell it is for their admin interface - but could be referring to the public website in some cases.)
- AEM (https://helpx.adobe.com/experience-manager/6-2/sites/developing/using/csrf-protection.html) (granite - so appears to be admin-side)
- Kentico (Anything using CMSPage has support)(https://docs.kentico.com/k9/securing-websites/developing-secure-websites/cross-site-request-forgery-csrf-xsrf)
- Sitecore (https://doc.sitecore.net/speak/speak_3/speak_3/protect_against_crosssite_request_forgery) (https://stackoverflow.com/questions/39536332/what-does-the-sitecore-security-anticsrf-do-and-can-i-disable-it-on-my-content-d)
- Liferay (https://web.liferay.com/community/wiki/-/wiki/Main/Authentication+Token)
- Episerver - not totally clear - but they have a feature and provide hints to how to use ASP.net tokens (https://world.episerver.com/blogs/Per-Bjurstrom/Archive/2010/4/Using-the-CSRF-page-extension-in-CMS-6/) (https://world.episerver.com/documentation/class-library/?documentId=episerverframework/7/f1266c23-719e-2631-3f41-433a8be2d8dc)
For these I could find no clear information.
- Coremedia
- Drupal
I also found several indications that the token check was something that they have added relatively recently. For example AEM had referer check before and then added the token check.
Security Software
Also security scanning software is apparently looking for CSRF tokens on forms
- Acunetix (https://devnet.kentico.com/questions/regarding-csrf)
- HP fortify