Missing cross-site request forgery token validation query (experimental)

[aegilops]

New version of the existing cs/web/missing-token-validation query that adds:

1. support for AspNetCore
2. lower tolerance for false negatives

Any POST method without either an explicit CSRF attribute, or an identifable global CSRF filter, will be reported as an alert.

This is in contrast to the existing approach, which only alerts if one method is missing a CSRF filter, where others are not.

The existing approach is quite permissive, and results in missing results in both synthetic web applications and in real applications.

[github-actions]

QHelp previews:

csharp/ql/src/experimental/CWE-352/MissingAntiForgeryTokenValidationAspNetCore.qhelp

Missing cross-site request forgery token validation

Web applications that use tokens to prevent cross-site request forgery (CSRF) should validate the tokens for all HTTP POST requests.

Although login and authentication methods are not vulnerable to traditional CSRF attacks, they still need to be protected with a token or other mitigation. This because an unprotected login page can be used by an attacker to force a login using an account controlled by the attacker. Subsequent requests to the site are then made using this account, without the user being aware that this is the case. This can result in the user associating private information with the attacker-controlled account.

Recommendation

The appropriate attribute should be added to this method to ensure the anti-forgery token is validated when this action method is called. If using the MVC-provided anti-forgery framework this will be the [ValidateAntiForgeryToken] attribute.

Alternatively, you may consider including a global filter that applies token validation to all POST requests.

Example

In the following example an ASP.NET MVC Controller is using the [ValidateAntiForgeryToken] attribute to mitigate against CSRF attacks. It has been applied correctly to the UpdateDetails method. However, this attribute has not been applied to the Login method. This should be fixed by adding this attribute.

using System.Web.Mvc;

public class HomeController : Controller
{
    // BAD: Anti forgery token has been forgotten
    [HttpPost]
    public ActionResult Login()
    {
        return View();
    }

    // GOOD: Anti forgery token is validated
    [HttpPost]
    [ValidateAntiForgeryToken]
    public ActionResult UpdateDetails()
    {
        return View();
    }
}

References

• Wikipedia: Cross-Site Request Forgery.
• Microsoft Docs: XSRF/CSRF Prevention in ASP.NET MVC and Web Pages.
• Common Weakness Enumeration: CWE-352.

[aegilops]

I should expand this to cover other definitely state-changing HTTP verbs, such as DELETE and PUT - I think I kept it at just POST to reflect the existing one.

This will not cover CSRF with GET requests, since that would require detecting state-changing GET requests, which requires analysis of the side-effects of the method that handles the request, and is much more involved.

[michaelnebel]

Thank you very much for the contribution - it would be really great if we can get ASP.NET coverage for this query as well! Good work!

Some overall questions and comments
(1) The comments about the QL doc need to be addressed.
(2) It looks like the primary “controversial” difference between the new experimental and the existing query is the removal of the assumption about the presence of at least one of the “interesting” attributes before we start to produce alerts. Do you see any reason why the original query wouldn’t benefit from also producing alerts for missing token validation of POST methods in ASP controllers? If not, then maybe we should consider unifying the logic and incorporate the ASP parts into the existing query and re-use this for the experimental query where the only difference is the part about the presence of at least one “interesting” attribute.

[michaelnebel]

Maybe add some more tests.
(1) Since ASP.NET is now covered by this query, then maybe add a test for an ASP like controller (using Microsoft.AspNetCore.Mvc).
(2) Maybe add a test where one of the CSRF attributes is added to the controller (or a super type of the controller). (I know that this is not covered by the test for the original query - but it would be great to cover it as well).
(3) The most complicated logic is in the "global" add filter logic - I think it would be great to add some tests for this as well.

[michaelnebel]

Why do we allow this? The description of the attribute states that "A filter that skips antiforgery token validation.".

[michaelnebel]

The existing query assumes that if none of the attributes to ensure token validation is identified, other means of validation are performed (contrary to this query). Do you think that was a bad assumption on the original query?

[michaelnebel]

Maybe an ASP example would make sense instead (this is also what is mentioned in the qlhelp).

[michaelnebel]

Use hasFullyQualifiedName instead.

[michaelnebel]

Maybe mention that this query also covers MVC.

[michaelnebel]

nit: This is because

[michaelnebel]

The the second argument of AddRazorPages is of type Action<RazorPageOptions> and RazorPageOptions doesn't have a Filter property.
Should the logic also check that the first parameter to the lambda is of type MvcOptions?

[michaelnebel]

If all the methods are in Microsoft.Extensions.DependencyInjection then maybe we should check the qualifier?

[michaelnebel]

Should we also cover the method Add<TFilterType>(Int32)?