django-rest-framework-jwt icon indicating copy to clipboard operation
django-rest-framework-jwt copied to clipboard

Published 20 hours ago verified publisher icon jpadilla

JWT_AUTH_COOKIE makes APIs CSRF vulnerable.

Open mohsen-mahmoodi opened this issue 7 years ago • 15 comments

Using the JWT_AUTH_COOKIE is vulnerable to CSRF attacks and this is not mentioned in the documentation nor mitigated against in the code.

mohsen-mahmoodi avatar Jun 05 '17 00:06 mohsen-mahmoodi

How is that? please explain.

angvp avatar Jun 05 '17 16:06 angvp

Maybe by brute forcing the default hs256 JWT_ALGORITHM as mentioned here and here

Radobilly avatar Jun 22 '17 19:06 Radobilly

@mahmoodi ? input please.

angvp avatar Jul 24 '17 14:07 angvp

@mahmoodi is right. Because JWT is saved in a cookie, it will be automatically sent with every request, causing successful authentication without any need to add JWT to request header by the application. Because of this, it is generally vulterable to CSRF in exactly the same way as usual cookie session, so actually there is no need to provide any example here as general CSRF vulnarability examples could be applied here.

klis87 avatar Jul 24 '17 17:07 klis87

Hey @klis87 thanks for jump in, yeah I got that from @Radobilly's links and some googling .. I will write some docs and will update this ticket so you can proofread and add/delete more info to the main docs.

angvp avatar Jul 24 '17 19:07 angvp

Please correct me if I'm wrong, but seems to me that default Django CSRF protection, if used correctly, prevents problems:

https://docs.djangoproject.com/en/1.11/ref/csrf/

https://stormpath.com/blog/where-to-store-your-jwts-cookies-vs-html5-web-storage also says that:

Leveraging your web app framework’s CSRF protection makes cookies rock solid for storing a JWT.

Update:

Ah ok, I see one more thing now. Django's CSRF tokens will be generated if one has django.middleware.csrf.CsrfViewMiddleware, but they get ignored when using JSONWebTokenAuthentication. So yes, it looks like JWT cookie is vulnerable to CSRF.

AdamStelmaszczyk avatar Jul 28 '17 09:07 AdamStelmaszczyk

Any update on this?

EduardoNogueira avatar Dec 29 '17 12:12 EduardoNogueira

I noticed this risk and created a pull request adding an option to handle csrf protection when using JWT in http-only cookie.

Now I see it's an open issue, for those interested, check out https://github.com/GetBlimp/django-rest-framework-jwt/pull/434 and maybe we can close this.

bmpenuelas avatar Apr 15 '18 13:04 bmpenuelas

Perhaps this post might be illuminating?

CapedHero avatar May 19 '18 10:05 CapedHero

It is @CapedHero, that is the behaviour that you get when using #434.

bmpenuelas avatar May 19 '18 12:05 bmpenuelas

As well as requiring CSRF protection, shouldn't JWT_AUTH_COOKIE also be set with the Secure flag?

PaulDFPV avatar Oct 05 '18 23:10 PaulDFPV

The Secure flag prevents the cookie from being sent over non-https connections, protecting it from eavesdropping among other things. Some users might want to protect their apps from CSRF and XSS while allowing them to work over http. In that case, the Secure flag would not be a suitable choice.

That said, using https and the Secure flag is of course advisable whenever possible.

bmpenuelas avatar Oct 06 '18 08:10 bmpenuelas

Perhaps use the Secure flag by default and have an option to turn it off then?

PaulDFPV avatar Oct 06 '18 10:10 PaulDFPV

There is currently no way to customise the cookie settings. It would be really useful to have the choice to set them, especially the secure and samesite flags. Thanks!

pou426 avatar May 03 '19 12:05 pou426

Yes @pou426 you can customize it the way you want using CSRF_COOKIE_SECURE and CSRF_COOKIE_SAMESITE respectively.

bmpenuelas avatar May 16 '19 20:05 bmpenuelas