Sunday, November 10, 2013

Java Cross-Site Request Forgery (CSRF) Remedy, and Reverse Proxy Considerations

Recently, an application that I wrote and support got scanned by a more sophisticated web application security tool, and it revealed some issues.  One of the issues was in regard to “Cross-Site Request Forgery”.  Basically, Cross-Site Request Forgery (I’m going to abbreviate this as CSRF) means that data is being submitted to your application by a form that was not generated by your application.  For example, a hacker might save the source of your web page and form and submit the form from their saved version.

If an authenticated web application user (I assume you are authenticating your users) submits valid data (I assume you are validating the data) from a form that you didn’t originate, there should be no problem, right?  Valid user and valid data should be OK, right?

In reality, the examples of where this exploit has been used are the justification for preventing it.  I'll describe one CSRF attack vector.  You may be authenticated to use my application, and you may load a page in your browser that has NOT come from me.  If that page has a couple features, we will both be upset: (1) perhaps the page has been maliciously coded to emulate a page delivered by my application and submits some valid data, and (2) that data performs some valid function that you have not approved, like transferring money to a hacker.  That kind of potential scenario, and others like it should motivate us to keep CSRF from succeeding in our applications. 

Additionally, if there is a chance that bad data might seep through your server-side validation or that an authenticated user might be spoofed or that you just need to pass intense application security scanning that is going to reveal CSRF vulnerabilities, then there are a couple things you can do to prevent CSRF.

But first, let me take a minute to talk about server names. Often a server will have multiple names: an official name and one or more DNS aliases. Most likely, one of the DNS aliases, if they exist, is what users will browse to in the URL -- that gives you flexibility to move an alternate system into place (physically or logically) as that same DNS alias, without having to change all your URLs.  In addition, you may have more elaborate access to your corporate servers from the Internet through reverse proxies that may sit on the boundary of your intranet.  In that case, the proxy server may rewrite both the header of the request and the referrer. So there are four name types: 1) the machine name, 2) a DNS name, 3) a potentially rewritten referrer name, and 4) a potentially rewritten header "server" name.  How should we use each of these?  In the simplest arrangement, all of these will be the same.

The machine name (hostSrvrName in the code below) should be used for anything that applies to everything being served from that specific server, even when served at URLs using potentially different DNS aliases.  I choose to name my authentication cookies with the machine name so that other applications can share the authentication.  Our nonce cookie is not quite of that type, it is specific to our application forms, at present, but could be made into a general service for the entire server.  We can get the machine name (which only needs to be read once) from an InetAddress class, through a static initializer block outside the doGet(), doPost() and other methods, like this:

    private static boolean isDebug = true;
    private static String applName = "myapp";
    private static String defaultNetworkName = "org.com";
    private static String defaultServerName = "myappsrv" 
        + "." + defaultNetworkName;
    private static String hostSrvrName = null; 
    private static InetAddress[] hostAddresses = null;
    static { 
        try {
            try { 
                hostSrvrName = InetAddress.getLocalHost().getHostName() 
                    + "." + defaultNetworkName;
            } catch( Exception y ) {} 
            if( hostSrvrName == null ) hostSrvrName = defaultServerName;
            hostAddresses = InetAddress.getAllByName( hostSrvrName ); 
        } catch( Exception x ) {} 
    } 
    // This is what we will see in the request at the server
    // It may be rewritten to the client
    private static String reverseProxyName = "access" 
        + "." + defaultNetworkName;

The first thing you can do is what I would term as “poor-man’s CSRF prevention.”  Basically, you check to assure the referrer in the html header is what you expect.  Note that if you are using a reverse proxy, the proxy will occur as the referrer name; so in addition to your web app server, you will need to allow that host name as a referrer.  In a Java servlet, this test might look like the following (note that the standard parameter name “referer” is misspelled).

        // A reverse proxy may rewrite the header server name
        String rqstSrvrName = request.getServerName();
        if( rqstSrvrName == null ) rqstSrvrName = hostSrvrName;
        // The referrer is important to us!
        // That should be the name of the server that the client addresses
        // If it is acceptable, we will reflect that back to the client
        String referrer = request.getParameter( "referer" );
        // If the request or referrer server name equals
        // our standard reverse proxy server name,
        // then set the referrer to the reverse proxy
        // else assure the referrer is this host
        String referrerName = rqstSrvrName;
        // May have remnant referrer on a GET - use request server 
        if( referrer != null && 
                        ! request.getMethod().equals( "GET" ) ) 
        { 
            int start = referrer.indexOf( "//" ) + 2;
            int end = referrer.indexOf( "/", start );
            referrerName = referrer.substring( start, end );
        }
        if( rqstSrvrName.equals( reverseProxyName )  
            || referrerName.equals( reverseProxyName ) ) 
        {
            referrerName = reverseProxyName;
        } else {
            // Test if the server name from the referrer or request header
            // Has one of the same addresses as our host (DNS alias)
            boolean isThisAddr = false;
            try {
                InetAddress referInetAddr = 
                    InetAddress.getByName( referrerName );
                String requestAddr = referInetAddr.getHostAddress();
                // InetAddresses are keyed by IP Address, so may not work
                // With hosts with multiple network homes (cards or VPNs)
                if( hostAddresses != null ) 
                  for( InetAddress iAddr: hostAddresses ) {
                    if( iAddr.getHostAddress().equals( requestAddr ) ) {
                        isThisAddr = true;
                        break;
                    }
                }
            } catch( Exception x ) {}
            // Referrer may also be another acceptable host
            if( referrerName.equalsIgnoreCase( "menu.org.com" ) ) isThisAddr = true; 
            if( referrerName.equalsIgnoreCase( "lookup.org.com" ) ) isThisAddr = true; 
            if( referrerName.equalsIgnoreCase( "test.org.com" ) ) isThisAddr = true;
            if( ! isThisAddr ) {
                System.out.println( "Referrer Problem coming from: " + 
                    clientIP + ", Referrer: " + referrer );
                throw new ServletException();
            }
        }
        if( isDebug ) {
            System.out.println( "hostSrvrName: " + hostSrvrName );
            System.out.println( "rqstSrvrName: " + rqstSrvrName );
            System.out.println( "referrerName: " + referrerName );
        }

The DNS name (or machine name if no DNS aliases are used) will usually appear in all the places we might look for the server name: the URL, the referrer and the header for each client request coming to the server.  We can't really enforce security around the server name in the URL; it is just the address where someone found us.  Once they find us, however, we can enforce security around the server name in the referrer, as shown above, and in the header.  If these are not what we are expecting, we should reject the request or fix the server name.  In particular, we need a good server name to use for the cookie Domain. You can provide a cookie to the browser using any Domain, but since you want the browser to return it, the cookie Domain setting needs to match the target server of THE CLIENT request.  From the other side of a reverse proxy, your best bet for a working cookie Domain is the server name that the client places in the request referrer.  But if there is no referrer, the acceptable server name in the request object should be used.

If that is the poor-man’s solution, what does the wealthy Java programmer do?  Well, he can stamp every web page he delivers with a random value and validate the value when that web page is submitted.  If the random value is stored in a session cookie, then it will be returned only with valid requests.  We will see how I implemented that solution.

There are several places where a per-page random value can be stored, and we are going to place that value in three of them:  the web page form, a web page cookie and in the server-side session for that client.  There are a couple scenarios where we can be assured that CSRF has not occurred – when all the stored values are null (that would be the first request for this client session), or when all the stored values are equal.  One more instance where we do not flag the submission as a potential CSRF is when the request is coming from an http GET and has no form – we will be pretty strict about that exception.  This would only be something we need to deal with when the client has an existing session for this application and then clicks on a link (GET request) for the same application.

To test whether a form has been submitted, and a form is the only way our per-page random value will be returned, we check the method of the request.  If it is a GET request, then there is no form.  But that is not a sufficient reason to throw open the gate.  We need to assure that the client is not submitting unexpected data in the GET (in the URL).  However, we may want to submit some data through a GET request, and we need to test for each valid GET.  In this example, the request is a “form” submission (and will need to include a valid per-page random value) unless it meets these criteria:  It is a GET request and has no data parameters or has one data parameter that is “reload”.

        // Anchor tags into myapp (isForm = false) don't have nonce. 
        // Flush has one parameter, otherwise zero. 
        boolean isForm = true;
        String doFlush = request.getParameter( "reload" );
        if( request.getMethod().equals( "GET" ) ) {
            @SuppressWarnings("rawtypes")
            Map pMap = request.getParameterMap();
            if( pMap.size() == 0 ) isForm = false;
            else if( pMap.size() == 1 && doFlush != null ) isForm = false;
        }

Here is a fun word to say, and one that technically fits this scenario: “nonce”, or “number used once”.  We will deliver a nonce with each web page and validate it with each form submittal.

        // On forms, check nonce
        if( isForm ) {
            boolean isNonceOK = 
                checkNonceCookie( hostSrvrName, request, response );
            // Need to set cookie before throw Exception if( ! isNonceOK )
            setNonceCookie( hostSrvrName, referrerName, request, response);
            if( ! isNonceOK ) { 
                System.out.println( "Nonce Problem coming from: " + 
                    clientIP );
                throw new ServletException();
            }
        } else setNonceCookiehostSrvrName, referrerName, request, response);

In my application coding, I normally log the exception where it happens, then throw an application-specific Exception (not shown in the code above), and simply pass that along in any other methods, finally catching it at the doPost() or doGet() method in order to return an error page with a form and nonce of its own.  For that reason, before I throw the exception, I set a new nonce value to be sent with the Error page.  I will plan to provide the details of that process in another blog message.

Note that even if we are not coming from a form, we need to set a nonce cookie in the form we will be returning.

There are two methods that I will describe here, checkNonceCookie() and setNonceCookie().  Let me explain the set method first.  Here is the basic code:

    // The nonce cookie is intended to avoid Cross-Site Request Forgery
    private static SecureRandom rand = new SecureRandom();
    static {
        rand.nextLong();
        rand.nextLong();
    }
    private static void setNonceCookie(
        String hostSrvrName, String referrerName,
        HttpServletRequest request, HttpServletResponse response )
    {
        try {
            String randNonce = String.valueOf( rand.nextLong() );
            String encodedNonce = encode( randNonce );
            HttpSession session = request.getSession(true);
            session.setAttribute( "nonce", encodedNonce );
            request.setAttribute( "nonce", encodedNonce );
            // We encrypt the nonce value and place it in the cookie so that
            // a hacker may not generate a cookie and matching form nonce
            // (can't spoof our cookie)
            String cryptNonce =
                getCryptResult( hostSrvrName, encodedNonce, request );
            // Cookie class does not support Expires date - manually one hour
            SimpleDateFormat cookieDateFormat = new SimpleDateFormat(
                "EEE, dd-MMM-yyyy HH:mm:ss" );
            // Set the formatter timezone so the numeric value
            // matches "GMT" in the cookie
            cookieDateFormat.setTimeZone( TimeZone.getTimeZone("GMT") );
            Date cookieDate = new Date();
            cookieDate = new Date( cookieDate.getTime() + 60L * 60L * 1000L);
            String expiresDate = cookieDateFormat.format( cookieDate );
            // Perhaps use defaultNetworkName as Domain to permit this cookie
            // for all hostnames in network
            // including DNS aliases and reverse proxy header rewrites
            String mCookieString = applName + "_nonce_" + hostSrvrName + "="
                + cryptNonce + "; Path=/; Domain="
                //+ defaultNetworkName + "; Expires=" + expiresDate
                + referrerName + "; Expires=" + expiresDate
                + " GMT; Secure; HttpOnly";
            response.addHeader( "Set-Cookie", mCookieString );
        } catch (Exception x) {
            System.out.println( "setNonceCookie: " + x.toString() );
        }
    }

Observe that we are encrypting the nonce value, using a method that I often employ (shown below) so that the cookie cannot be easily spoofed – a cookie and matching nonce would be difficult for a hacker to generate.  We don’t want to be totally dependent on a “difficulty”, so any matching nonce value from a form and from a cookie will need to also match a value that we set in the server-side session.  Notice in the code above that in addition to creating the cookie and setting it in the header, we also set the session attribute, “nonce” with that value and the request attribute, “nonce” with that value.  One common practice for placing the nonce value in an html form is by using Java Server Pages (JSPs) and perhaps the JSP Standard Tag Library (JSTL) core functions to get the value from the request attribute.  Here is an example JSP snippet:

<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
<FORM NAME='mForm' METHOD=POST />'>
<INPUT TYPE='hidden' NAME='nonce' VALUE='<c:out value="${nonce}" />' />
<INPUT TYPE='submit' VALUE='Retry' />
</FORM>

Those three value settings (the form, the cookie and the session) will be compared in the checkNonceCookie() method.  If they are all blank, or if they all match, then a legitimate form is being submitted.  In certain circumstances (occasionally from a reverse proxy) a cookie will be returned even though a new browser session has been established, so there is no form or session nonce.  So for that reason, just check if those two are blank and ignore the cookie.  Here’s the code:

    private static boolean checkNonceCookie( String hostSrvrName,
        HttpServletRequest request, HttpServletResponse response )
    {
        boolean rtrnBool = true;
        try {
            HttpSession session = request.getSession(true); 
            Object sessNonceObj = session.getAttribute( "nonce" ); 
            // If user leaves page up, will have form nonce and cookie, but no session 
            // So don't do anything (ignore all input), just display start page 
            if( sessNonceObj == null || sessNonceObj.toString().equals("")) { 
                    ifisDebug ) System.out.println( 
                            "Going to Start: " + request.getRemoteUser() ); 
                    request.setAttribute( "goToStart""true" ); 
                    return true; 
            } 
            String formNonce = request.getParameter( "nonce" ); 
            String cookieCryptNonce = null; 
            String cookie = request.getHeader("cookie") + ";";
            // TEMPORARY ONLY
            ////if( isDebug ) System.out.println( "cookie: " + cookie );
            int start = cookie.indexOf( applName + "_nonce_" +
                hostSrvrName + "=" );
            if (-1 < start) { // cookie exists
                int end = cookie.indexOf( ";", start );
                String nonceCookie = cookie.substring( start, end );
                start = nonceCookie.indexOf( "=" );
                cookieCryptNonce = nonceCookie.substring( start + 1 );
            }
            if( isDebug ) {
                System.out.println( "sessNonceObj: " + 
                    (String)sessNonceObj );
                System.out.println( "formNonce: " + formNonce );
                System.out.println( "cookieCryptNonce: " + 
                    cookieCryptNonce );
            }
            rtrnBool = false; // if exception is thrown - this is returned
            if( ! formNonce.equals( (String)sessNonceObj ) ) return false;
            String cryptNonce = getCryptResult( hostSrvrName,
               (String)sessNonceObj, request );
            if( isDebug ) System.out.println( "cryptNonce: " + cryptNonce );
            if( cryptNonce.equals( cookieCryptNonce ) ) return true;
            return false;
        } catch( Exception x ) {
            System.out.println( "checkNonceCookie: " + x.toString() );
            return rtrnBool;
        }
    }

In checkNonceCookie(), above we get the encrypted value that we stored in the cookie, then we encrypt the values again.  We compare the cookie value with the newly encrypted value.
My code for the getCryptResult() method is like the following.  It creates an encrypted value that is also rather specific to the client browser.  Also, to get the encrypted value into a representation that is easily included in a web page, we encode it.  I’ll also show a Hex encoding method that I’ve published in a previous blog post; although, I have a hardened version I present in my book, Expert Oracle and Java Security.

    // Requires Java Cryptography Extension (JCE)
    // Unlimited Strength Jurisdiction Policy Files 6
    private static byte[] salt = { (byte) 0x8d, (byte) 0xc8, (byte) 0xdf,
        (byte) 0x65, (byte) 0xb4, (byte) 0x94, (byte) 0x43, (byte) 0x8e };
    private static int itCount = 24;
    private static PBEParameterSpec pbeParamSpec = new
        PBEParameterSpec( salt, itCount );
    private static SecretKeyFactory keyFac;
    private static Cipher pbeCipher;
    private static String algorithm = "PBEWithSHA1AndDESede";
    static {
        try {
            keyFac = SecretKeyFactory.getInstance( algorithm );
            algorithm = keyFac.getAlgorithm();
            pbeCipher = Cipher.getInstance( algorithm );
        } catch (Exception x) {}
    }
    static String getCryptResult( String srvrName, String randNonce,
            HttpServletRequest request ) 
    {
        String rtrnString = "";
        try {
            PBEKeySpec pbeKeySpec =
                new PBEKeySpec(randNonce.toCharArray());
            SecretKey pbeKey;
            String clearText = request.getRemoteAddr().substring(0, 10)
                + request.getHeader( "profile" )
                + randNonce + srvrName
                + request.getHeader( "user-agent" );
            byte[] bytesOfMessage = clearText.getBytes( "UTF-8" );
            MessageDigest md = MessageDigest.getInstance( "MD5" );
            byte[] thedigest = md.digest( bytesOfMessage );
            byte[] cryptText;
            synchronized( pbeCipher ) {
                pbeKey = keyFac.generateSecret( pbeKeySpec );
                pbeCipher.init(Cipher.ENCRYPT_MODE, pbeKey, pbeParamSpec);
                cryptText = pbeCipher.doFinal( thedigest );
            }
            rtrnString = encode( cryptText );
        } catch (Exception x) {}
        return rtrnString;
    }

    static String encode( byte[] bytes ) {
        StringBuffer sBuf = new StringBuffer();
        try {
            for( byte b: bytes ) {
                sBuf.append( String.format( "%02X", b ) );
            }
        } catch( Exception x ){}
        return sBuf.toString();
    }

Note that this blog site and my book, Expert Oracle and Java Security, will give you further tools for your application security efforts.

1 comment:

  1. As you have seen, patching existing code or creating non-vulnerable code can be really time consuming. Nevertheless, CSRF attacks can cause serious business impact if successfully deployed. That's why it is imperative to guard our web applications against cross site request forgery csrf attacks.

    ReplyDelete