Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

CSRF on GAE Endpoints with oAuth

I'm looking to implement protections against CSRF attacks in my API, which I developed using GAE Endpoints with oAuth2 required for all methods.

Before implementing any specific protection I'm trying to actually break my app (CSRF looked simple at first glance). But just can't make it work.

When I reference my endpoint in another page, the browser adds the cookie information but not the Authorization header with the bearer access token. This does not seem to be enough, because my endpoints automatically return 401 with a www-authenticate:Bearer realm="https://accounts.google.com/" header.

As I said, I have no specific protection against CSRF. But does using Google Cloud Endpoints with oAuth2 under HTTPS grants me protection against this type of attack "for free"?

--edit to address comment

I tried a simple CSRF attack. I got a page up with an <img src="https://bla-bla-bla-appspot.com/_ah/api/myapi/v1/resource.getMethod">. Then I accessed this page while I had my app opened in another tab, so my browser would send my authentication information. And it does send the cookie, but not my oAuth token).

I didn't even tried doing a POST, if I "hack" a GET it would be great already.

like image 244
Henrique G. Abreu Avatar asked Jan 25 '16 23:01

Henrique G. Abreu


People also ask

What is OAuth Csrf?

A CSRF attack against the client's redirection URI allows an attacker to inject their own authorization code or access token, which can result in the client using an access token associated with the attacker's protected resources rather than the victim's (e.g. save the victim's bank account information to a protected ...

Does Google use OAuth?

Google APIs use the OAuth 2.0 protocol for authentication and authorization. Google supports common OAuth 2.0 scenarios such as those for web server, client-side, installed, and limited-input device applications. To begin, obtain OAuth 2.0 client credentials from the Google API Console.

How does OAuth 2.0 work?

How Does OAuth 2.0 Work? At the most basic level, before OAuth 2.0 can be used, the Client must acquire its own credentials, a client id and client secret, from the Authorization Server in order to identify and authenticate itself when requesting an Access Token.


1 Answers

OAUth 2.0 explicitly protects against CSRF via the use of a non-guessable state parameter which is generated by the client and validated by the server. Even if an attacker was able to trick a client into visiting a URL to authorize a malicious token, the state parameter would not match that of the client and the request would be denied.

The Google Cloud Endpoints libraries handle this bit of the OAuth spec for you, so you're in the clear.

Oauth2 requires all requests to have the bearer access token either as an HTTP header (use XMLhttpRequest from javascript to set the header and make the request) or as a URL query parameter (access_token). An attacker won't know this secret value, so would not be able to create a URL which would pass validation.

like image 188
Dave Snigier Avatar answered Sep 22 '22 14:09

Dave Snigier