Hi everybody!
We have an microapp (stateless, React-based) which allow user to upload files to Predix Blobstore (via dedicated microservice). We have developed an microapp using Predix Apphub. To upload file, we use HTML form tag. During microapp development we have faced with Cross-Site Request Forgery issue: to upload file we use HTTP POST method with “multipart/form-data” content type, so an attacker can trick the victim into submitting a malicious/inappropriate file. As we understand, Predix AppHub does not have any CSRF protection out of box.
We have analyzed OWASP best practices and found that there is no suitable existing solution that meet our condition:
Synchronizer Token Pattern - Not applicable - Because our microapp is stateless.
Encryption/ HMAC based Token Pattern - Applicable - Based on our quick search there is no ready existing solution that implement that pattern. Mostly all current stateless solution implements Double Submit Cookie pattern
Verifying origin with standard headers - Not applicable -Predix AppHub strips Origin/Referer HTTP headers
Double Submit Cookie - Not applicable- Predix AppHub strips cookie HTTP headers, so microapp does not receive cookie HTTP header
Samesite Cookie Attribute - Not applicable - Predix AppHub does not implement Samesite Cookie protection out-of-box. Predix AppHub strips cookie HTTP headers
Use of Custom Request Headers - Not applicable - You cannot attach custom request headers to form submission due to browser features.
We do not want to implement encryption/HMAC based token pattern from scratch because of security concerns (we must think about crypto key rotation, using crypto algorithm, etc). Our current proposed approach is based on using jti claim from JWT as CSRF token:
Browser makes GET request to get upload form.
Microapp receives that GET request (via Predix Apphub) with Authorization header (user JWT included). When Microapp creates a response (form to upload file) it includes jti claim from received JWT as a hidden field.
Browser receive HTML form to upload file. Browser makes POST request with included hidden filed.
Microapp receives POST request (via Predix Apphub) with Authorization header (user JWT included) and checks where or not value in a hidden field equal to jti in received JWT.
Do we reinvent the wheel? Is there any ready existing solution suitable in our case? If there is no existing solution: do you see any security concerns in our approach?
What you are describing is a variation of the Synchronizer Token Pattern, where the token is not stored on the server -- instead its available to the server via the Authorization header. That should work, since the attacker does not have access to cookies from the user session.
Thanks for the review. We have implemented that pattern, it is work well.
