2

Someone to explain please (hopefully with simple words for newbies) why a web application built upon a RESTful API can be CSRF exempt?

I received such assertion after asking: Serializing FormView data in JSON, but honnestly I can't figure out why?

Thanks in advance

Community
  • 1
  • 1
Adib Aroui
  • 4,981
  • 5
  • 42
  • 94
  • 1
    It makes sense if the REST api is used by a browser. If it's not used by a browser (say curl) then CSRF is not an issue. – Neil McGuigan Aug 10 '15 at 04:29

2 Answers2

1

According to owasp.org:

Cross-Site Request Forgery (CSRF) is a type of attack that occurs when a malicious Web site, email, blog, instant message, or program causes a user's Web browser to perform an unwanted action on a trusted site for which the user is currently authenticated.

This is not an issue for REST Web services because either:

1) you usually want your service to be accessible from multiple applications (Mobile app, browser, etc.)

2) you have to provide a direct authentication for each request, so this kind of attack is not applicable for REST services. The authentication is done by your application (let's say javascript) and no directly by your browser (sending the session id), so even if a malicious application redirect the user to your webpage, it cannot automatically trigger your javascript function to perform the request (and the authentication).

SimoV8
  • 1,382
  • 1
  • 18
  • 32
  • I don't agree with 1) and not understand 2). I am sorry for maybe being a moron but what I know is that browser can be one of the consumers of an API (we tend nowdays to return JSON from server instead of HTML to widen the set of possible clients in the upcoming internet of things( js web app, a native iOS app, a native android app, even a smart device like a toaster...)). So browser is one of them. Also `authentication is done by your application (let's say javascript) and no directly by your browser` make me feel I am zero. any links or documentation are highly appreciated.thanks so much – Adib Aroui Aug 10 '15 at 14:49
1

CSRF or Cross Site Request Forgery, in layman terms, is meant to allow only selected sources(your own website) to submit data to particular url. It prevents misuse of your functionality by other websites or robots.

Say, I have an url for registration, /registration/, but I don't want to allow external submission of POST data to /registration/. So, I would provide a crsf cookie(depending on host and other stuff) when GET request is issued for /registration/, and ensure that same cookie is provided with POST request. This will ensure that users who have requested the registration form(i.e. genuine web users, not robots), would be able to register. It is not completely full-proof, but ensures some level of security.

Now, We don't use CSRF in API's due to following:-

  1. Technically, CSRF is stored as cookie, since browser is not the intended client of API's, it is of no use.

  2. Secondly, API's are supposed to use specialized client and user authentication, thereby eliminating the need for using any CSRF protection.

  3. Thirdly, Restful api's are supposed to be stateless, therefore the order of API calls should not matter, which is essential for working of CSRF.

Note:-

If you have frontend framework like Angular or intend to use api's on browser too, then it is perfectly ok to use CSRF. In that case you are suppose to write two types of authentication for your apis.

  1. Token Based Authentication - for non-browser clients
  2. Session Authentication - for browser based clients (With csrf)

In this case, any request to api must authenticate with atleast one of the authentication.

hspandher
  • 15,934
  • 2
  • 32
  • 45
  • I see that you also have the same idea as SimoV8 (that browser is not the intendend client of API). Please to clear my confusion, I am building a web project that I want to be reachable by the maximum of devices, so I am swapping from HTML rendering to JSON. Can we say that I am building an API? browser is the first inteneded target but I also want data to be reachable by mobile app....thanks in advance and especillay for explaining csrf attack as simple as you did – Adib Aroui Aug 10 '15 at 12:37
  • I thought you intend to use csrf with external clients of your api. My bad, I have edited my answer. Let me know, in case you have any doubts. – hspandher Aug 10 '15 at 13:24
  • Thanks for your post, edit and time. It becomes more clear now. If I have questions I will post them separately and give a sign here. Again thanks and have a good day – Adib Aroui Aug 10 '15 at 14:41