-
-
Notifications
You must be signed in to change notification settings - Fork 666
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Effectiveness of ASVS-4.0.1-3.4.5 #978
Comments
The poster here is making a good point. Path has minimal value.
1) A subdomain can CSRF the main domain
2) Any path on the host can set a cookie for any other path, as the posted described
I suggest we just delete this requirement. It's not helpful.
- Jim
|
First priority - use IF this is not possible AND there are many applications on the same domain which all may want to use Similar discussion, see: #555 (comment) Till we don't have requirement like "one application per domain", we need to have this requirement. |
This requirement only applies in the specific case if multiple applications use session cookies and could overwrite each other's session cookie. This seems more of an integrity issue where applications have accidental interaction. The goal of this requirement does not seem to block access between applications. |
If a cookie has path Integrity problem exists here - you can overwrite cookie with |
An application in /path1/ can still CSRF the root site even if the root site uses SameSite cookies. This is not a perfect defense (or even a good defense). Subdomains controlled by an adversary are a problem. So @timhemel I suggest a PR to get rid of this requirement and then create a new one for now. We can re-address the larger issue of adversarial subdomain's in different issues and PR's. And per @elarlang I do agree using the cookie prefix __Host- does bind the cookie to that specific host only and is a better solution. So perhaps set a new requirement in that direction instead? |
I suggest we have problems covered with proposals in opened issue before PR. Multi-site situation: If you have XSS in One-site situation: let's say we have only one application per domain,
Let's say we have setup:
If you can use
Additionally, what is the "new requirement" in this direction? We have 3.4.4 asking to use For me it seems, that @timhemel was addressing the word "override in current requirement, and I agree with that:
My current proposal is to fix this requirement to technically correct one:
|
@elarlang was correct in that I was addressing the word override. There is a minimal effect of restricting the path, and it might just make some applications a little more secure. Removing the requirement from the ASVS will make it less complete, but perhaps more practical to apply. I will leave that decision to the ASVS team. Personally I like completeness. I have two remarks on the proposal, that could be useful for letting someone understand the requirement:
|
Not that simple with cookies - we can not watch Prefer "host-only" over setting a
If you don't specify |
What I meant is that restricting the Path will only offer good protection in the case of multiple applications on the same host. IMO, that is what they intended The semantics of What is most important is that someone applying the ASVS gets a clear understanding of what to do: a developer needs to know what techniques to apply, a verifier needs to know whether what has been implemented is secure. The general strategy would be: Protect cookies from disclosure and overwriting
|
Goals to achieve with this requirement:
... or there is material to 2-3 different requirements |
*Domain* is a formal term and it only means the "registerable domain"
such as manicode.com
*Host* is also a formal term which means everything after the protocol
and before the first slash such as www.manicode.com or report.manicode.com
The *origin* is the protocol + host + port such as
https://www.manicode.com:443
Aloha, Jim
|
Your definitions are not correct in cookie context.
For that reason Origin / SOP with cookie context is a bit different. |
Those definitions are universal.
Cookies are *not* bound to the origin or protocol, they are bound to the
registerable domain and path as you rightly stated!
The point I am making is that a domain is a domain and a host is a host.
- Jim
|
I would like to agree with @jmanico, but RFC6265 uses domain for complete hostnames too, for example in:
Therefore, it is possible to bind a cookie to a host name via the The same happens in the SOP standard, where domain means the complete host part of the URL. Very confusing that they have deviated from the original meaning. That's why I think these specific ASVS requirements should make it clear. My suggestion would be to use "host" when we mean a host, and "host or domain" when we mean both. I think it will give little confusion. Not every reader of the ASVS will be familiar with the RFC jargon. |
My definitions of host, domain and origin above are correct according to rfc6454 section 3.2 Quoting https://datatracker.ietf.org/doc/html/rfc6454#section-3.2 Origin: "All of the following resources have the same origin: http://example.com/ Each of the URIs has the same scheme, host, and port components." Host: The same RFC above also says: "If user agents did not include the scheme, there would be no isolation between http://example.com and https://example.com because the two have the same host." from this I think we can deduce what host is. It's everything between the protocol and port. Domain: Is just site.com - what you register. And PS: As @ThunderSon mentioned above, the cookie domain property can be set to a domain or a host. Keep in mind cookies came on the scene way before origin was defined in 2011, so the domain property of a cookie is really not a clear name as you rightfully pointed out. |
This is my opinion, which makes no changes to the current suggestion.
I believe that in the situation 2, it maybe can protect leakage but cannot protect use of cookie from other applications, due to lack of same-origin policy. XSS at /pathX/ on the host can cause make same-origin requests to /pathY/ and take the responses out or bypass CSRF protections. This is somehow architectural point, but we should recommend different hosts (or subdomains) for different apps. The prefix __Secure- is a good solution for the situation 1, although the cookie has the remaining integrity risks by any subdomains. |
@maizuka __Host- is not about multiple applications on the same origin, but about multiple applications on the same site. An application on a.example.com can set cookies for example.com, which are also sent to b.example.com. So a.example.com can forge cookies for b.example.com. But not if they have a __Host- prefix. |
@Sjord You are right and the __Host- prefix is available even in the situation 2 (although name duplication causes trouble). The attack surface of XSS by the same-origin apps is independent problem from cookie. I confused between using cookies among apps and getting access to cookies across apps. Thank you. |
Quick-fix for v4.0.3 (#978 (comment)):
|
@elarlang was this issue addressed by the PRs above? |
Need to re-work it through. PR's were quickfixes to remove incorrection. Discussion was a bit wider here, but did not see any potential direction for improvement. |
So do we need to close this for now? |
Hi all, I will probably close this mid-May if I don't get any further feedback. |
Probably we can not solve anything with "improving" this requirement - we can create many more new requirements to cover all the possible edge cases and at the end there is just more confusion. Only way to go from here is to create requirement "one application per From #978 (comment)
|
I agree. Every application should be on its own (sub)domain, and the situation "if the application is published under a domain name with other applications" should not even be allowed. We probably should define "application" somewhat. In this case this seems to determined by authentication and session cookie usage. For some use cases, it may be benificial to use multiple domains for the same application. E.g. host user content on another domain, so that any XSS there does not impact the main application. I don't think it is sufficient to host every application on its own origin. Specifically, hosting different applications on different ports does not provide cookie separation. Different subdomains are needed. |
I was thinking Origin, when I wrote Domain. Fixed in my comment. Using application per Origin and __Host- prefix for session cookie, it provides separation. |
Actually, I propose to got for it. Maybe not for Level 1 (when we talk about risk-based levels). Need to think about wording, but idea is - there should be only one application which can read and write session cookie. It can be achieved:
|
Is there a significant difference between these two? Is it OK to host one app on a.example.com and another app on b.example.com, with or without |
Yes. the difference comes with Let's say session cookie name is "SID". From host But this is something you also described yourself: #978 (comment) So maybe I misunderstood the question... |
I would like to see a requirement to host every application on its own (sub)domain, such as marketing.example.com and customerportal.example.com. The __Host- prefix adds additional security to that, but that already has its own requirement (3.4.4). Hosting each application on its own site (examplemarketing.com, examplecustomerportal.com) would improve cookie security, but makes also makes phishing easier. I wouldn't recommend this. |
@elarlang can you open a PR? |
As we are not going to change this requirement - it stays till we have new requirement (one application per host/origin/site). For new requirement I created separate issue (#1299) and we can close this one out. |
| 3.4.5 | Verify that if the application is published under a domain name with other applications that set or use session cookies that might override or disclose the session cookies, set the path attribute in cookie-based session tokens using the most precise path possible. (C6) | ✓ | ✓ | ✓ | 16 | 7.1.1 |
If I understand the semantics of the
path
attribute correctly, the strictest value is realized by not specifying it at all. Of course if a scripts sets a cookie that applies to a parent path, you will need to specify it explictly.Setting the path attribute would only protect against disclosing the cookie, not against overriding it, as any path on a host can set a cookie for any other path. According to RFC 6265:
The text was updated successfully, but these errors were encountered: