undefined | Better HN

0 pointsbenmmurphy3y ago0 comments

Are there any additional issues with CSRF? I assume if websites are already protected against CSRF then there are no problems and if they don't have CSRF protection then they already have a problem they need to fix.

0 comments

xena3y ago

I have no idea to be honest. I'd assume CSRF protection is kind of a mandatory part of the internet at this point.

benmmurphyOP3y ago

I think if you are checking the host header on the server there is no problem. But I think if you are not checking the host header then there are some cute DNS rebinding attacks that will let an evil website perform arbitrary actions on behalf of a user if they are tricked into navigating onto the evil website. i've seen this same attack on sites hosted locally where authentication is assumed because only the localhost can connect to the site. DNS rebinding breaks this assumption. i think there is a similar thing going on here.

the good thing is a lot of stuff kind of implicitly checks the host header. like if you are using vhosting (without a default) then you have an implicit host header check even if you didn't set it up explicitly for security.

EDIT: and of course if you are using HTTPS then it should not be an issue because the server will not be able to serve a certificate that matches the hostname.

iancarroll3y ago

It’s good to protect against DNS rebinding, and the host header or TLS will protect against this, but rebinding isn’t the main source of CSRF issues. You can still blindly perform CSRF attacks via XHR or <form>.

The disadvantage to Tailscale’s implicit authentication is that it can’t take advantage of modern features like SameSite cookies, which can be a strong defense against CSRF. You would need to implement CSRF tokens everywhere, or try to rely on Origin/Referer (which is sketchy).

1 more reply

j / k navigate · click thread line to collapse