Spring Security and CSRF attack

0
votes

I am working on a java web application which should be very secure, so I applied the spring security and spring MVC with CSRF enabled on SSL server; I used POST to submit all Forms along with the generated CSRF token successfully, however some pages have GET methods and if any attacker open the source of any page from any browser he can see the generated CSRF token inside the Form tag, then he can use it to POST any content to our site as long as the session is active by the user under attack !! am I right?

What should I do make the site very secure? should I use any other open source along with spring security to cover other attacks like cross site scripting, etc.. ? and should I enforce all pages to use POST to avoid any CSRF attack?

UPDATE

I tried to do more testing by submitting a request via client tool on the same browser under same session using same token as logged in user, but it fails, the response said login failed, and header contains nosniff

X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY

So I think it is safe using GET in spring security to handle the csrf without afraid from some one reading the token in GET pages, unless the attacker used XSS attack to do the submission

2
javaspringsecurityspring-securitycsrf

2 Answers

3
votes

The attacker can see his own CSRF token, but he cannot see the CSRF token of another user. Different users have different tokens, and using the wrong token should not work.

So there is nothing to be worried about here. Don't panic.

0
votes

however some pages have GET methods and if any attacker open the source of any page from any browser he can see the generated CSRF token inside the Form tag, then he can use it to POST any content to our site as long as the session is active by the user under attack !! am I right?

Yes you are right, Using GET will make your website leak the sensitive information. This is exactly why Spring Security and RFC Specification discourages to use GET requests to send sensitive information. You should POST if you are sending the CSRF Token.

What should I do make the site very secure? should I use any other open source along with spring security to cover other attacks like cross site scripting, etc.. ?

Spring Security framework is not a Silver Bullet. Using it won't magically make your web application 100% secure. Even though it covers most of the Security Vulnerabilities out there, we have to make sure to code in a way that doesn't introduce any.

For Example:

In the case of Cross site scripting even if you use Spring Security if you take in a value from an HTML input box and save it directly without HTML encoding it and display it back in a JSP file like ${value} you will introduce the possibility for XSS.