Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Handling CSRF attacks from AWS Lambda?

Tags:

amazon-web-services

aws-lambda

aws-api-gateway

csrf-protection

Normally, a csrf token is generated by the server and then sent to the client. When the client submits a form, the token is passed back to the server, which then gets verified.

If I am just using API Gateway and Lambda, how would I ensure that all POST/PUT requests are valid, and protect against csrf attacks? There isn't much written about the subject that I could find, and I'm not sure how to persist a generated csrf token so that all lambda functions can access it anyway.

Is this something that AWS already handles for me, or do I need to specifically configure it in a special way?

like image 575
watdeo Avatar asked Jun 20 '17 05:06

watdeo

People also ask

Does WAF protect against CSRF?

By using custom rules through a WAF, users are able to help prevent certain CSRF attacks.

Is CSRF possible in REST API?

Now, we can see that our request is working, and the “Invalid CSRF token” error is gone in the REST API logs. Therefore, it will be impossible for attackers to perform a CSRF attack.

How do you prevent CSRF attacks in REST API?

CSRF tokens prevent CSRF because without token, attacker cannot create a valid requests to the backend server. CSRF tokens should not be transmitted using cookies. The CSRF token can be added through hidden fields, headers, and can be used with forms, and AJAX calls.

Should API have CSRF?

The CSRF token is required for any later REST API calls. The client must send a valid token with every API request. The token is sent in a custom request HTTP header. The name of the custom header is X-IBM-SPM-CSRF.

1 Answers

While I haven’t done (or even tried) that myself, 2 possible solutions could be:

  • The obvious one: Persist the data in one of the storages offered by AWS
  • The less obvious one: use a token that does not need persistence. For instance, JWT (JSON web tokens) can be used statelessly insofar as all servers (in your case: lambda functions) only need to know a shared secret to be able to verify client-side tokens. To prevent re-using a previously generated and used token (in other words: ensure a token is used only once), you could add data to the token payload which describes the form, for instance using an entity identifier plus version number, or simply add a expiration timestamp to the token payload – whatever fits your use case.
like image 180
BlueM Avatar answered Sep 16 '22 12:09

BlueM
Sign in to Comment

Related questions

Deploy-time commands inside Docker on Elastic Beanstalk
Errors with AWS SimpleDB Javascript SDK
Spring cloud SQS - Polling interval
Creating a parquet file on AWS Lambda function
AWS API Gateway $input variable in CloudWatch
AWS Cognito custom auth - sending metadata to a challenge lambda functions
Uploading file to S3 using presigned URL in PHP
How to handling PDO MySQL fail over in AWS using persistent connections
AWS SAM : Nested Stacks, Referring to API gateway from the Root stack
is is possible to move/copy an s3 bucket to a different account?
Elastic Beanstalk's Elastic Load Balancer name
AWS Inter Region VPN with VYOS
Processing DynamoDB streams using the AWS Java DynamoDB streams Kinesis adapter
AWS Cloudformation parameter dependency
How to get the target domain name of a custom domain for Regional AWS API Gateway in Cloudformation?
AWS CDK how to create an API Gateway backed by Lambda from OpenApi spec?
How can I wait for completion of an Elastic MapReduce job flow in a Java application?
Where are CloudWatch log data stored?
AWS Lambda: class java.lang.ClassNotFoundException
AWS Mobile HUD AWS SNS pushManagerDidRegister but endpoint not created

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!