I have implemented Spring Security extentions SPNEGO API for Single Singh On in my application. Can anyone help me to know, is kerberos protocol or SPNEGO is CSRF safe? Do i need to implement CSRF safety explicitly even i have implemented SPNEGO?
Asked
Active
Viewed 368 times
1
-
SPNEGO is authentication api and CSRF is browser/Server security concept. I am not sure both are related even though they are talked in terms of security. CSRF protection is used to prove server/client identity and SPNEGO is used to prove user identity – Sangram Jadhav Jun 09 '16 at 08:10
-
Alright, i understand. I have mixed it with Kerberos token. Thanks for an update. – Ashish Chauhan Jun 09 '16 at 08:15
-
@SangramJadhav I'm not sure this is entirely accurate, anything that automatically sends a token to an endpoint must have some CSRF protection. Including Kerberos over SPNEGO. https://www.computerweekly.com/tip/CSRF-attack-How-hackers-use-trusted-users-for-their-exploits – Eran Medan Jul 11 '19 at 23:23
1 Answers
0
You need to implement CSRF protection whenever you have anything that automatically sends authentication information to a server. To my knowledge the only two mechanisms are cookies and Kerberos/NTLM over SPNEGO. With SPNEGO, whitelisted domains will get your kerberos token on each request. An attacker could craft a form and trick a user to submit it, and if the target is an API with SPNEGO support that the browser is whitelisted to send tokens to, it can trick the user into sending authentication information they didn't intend to. Just like an authentication cookie.
Sources: https://www.computerweekly.com/tip/CSRF-attack-How-hackers-use-trusted-users-for-their-exploits and https://security.stackexchange.com/a/190903/12776
Eran Medan
- 44,555
- 61
- 184
- 276