Cross-site Request Forgery (CSRF) is a cross-site Request Forgery. The key to a cross-site request forgery attack is that the target server cannot tell whether many requests are coming from real users or attackers. The general process of attack is as follows: First, the attacker will induce users to navigate to the web page provided by the attacker. The page contains a request that is automatically sent to the target server. The page then loads normally and the request is automatically sent to the server. From the server’s point of view, this request looks exactly like a normal request sent by the user, but it is initiated by an attacker and the user is unaware of it. Because the request carries some of the user’s credentials, an attacker can obtain user information by parsing these credentials, thus creating security risks.

This article introduces CSRF, the CSRF security plug-in for Apache APISIX, and details how to use the CSRF plug-in in Apache APISIX to secure your API information.

The plugin is introduced

CSRF plug-in is implemented based on Double Submit Cookie scheme. As defined in RFC 7231#section-4.2.1, we refer to GET, HEAD, and OPTIONS as security methods. According to this convention, the CSRF plug-in passes all three methods directly, but checks the other methods and blocks unsafe requests.

To defend against CSRF attacks, we need to make a token or identifier that cannot be forged, and ensure that this is not sent with the attacker’s request. The user needs to carry the token that the CSRF plug-in depends on in the request header, and the token uses the key to calculate the signature. This ensures that the token cannot be forged by others, thus ensuring the security of the API.

After the CSRF plug-in is enabled on a route, all requests to access the route contain cookies containing the CSRF token.

The user needs to carry this Cookie in unsafe requests to the route and add additional fields in the request header to carry the contents of the Cookie. Field is the name value in the plug-in configuration so that the request can pass the verification of the CSRF plug-in.

The user provides a random key in the configuration of the plug-in. The plug-in uses the key to encrypt the token information with sha256 hash and then generates the CSRF token to ensure that the token cannot be forged.

How to use

Configure routes for enabling the CSRF plug-in

Create a route in APISIX using the Admin API and enable the CSRF plug-in:

The curl -i http://127.0.0.1:9080/apisix/admin/routes/1 - H 'X - API - KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d ' { "uri": "/hello", "plugins": { "csrf": { "key": "Edd1c9f034335f136f87ad84b625c8f1}}", "upstream" : {" type ":" roundrobin ", "nodes" : {" 127.0.0.1:9001 ": 1}}} 'Copy the code

There are three configuration items for plug-ins:

key: Specifies the value of the random key. The user needs to provide a random key.
expires: Optional. Expiration time of the random key. The default value is 7200 seconds. Because the CSRF token is sent to the client using a Cookie, the configuration is placed in the Cookie configuration to control the Cookie expiration time. Time is also calculated internally to determine whether the token has expired.
name: Indicates the CSRF token name. The default value isapisix-csrf-token.

Send request test

First use a POST request to access the route:

The curl -i - X POST at http://127.0.0.1:9080/helloCopy the code

Apache APISIX intercepts the request and returns a 401 error. In the header returned, you will find that a Cookie is set. If the plug-in’s name field is not configured, the default value inside the Cookie should be apisix-csrF-token =…. . This is the CSRF token generated by the CSRF plug-in. In the request, you need to ensure that the request carries the Cookie and that the token is written in the request header.

HTTP/1.1 401 Unauthorized
Set-Cookie: apisix-csrf-token=eyJyYW5kb20iOjAuNjg4OTcyMzA4ODM1NDMsImV4cGlyZXMiOjcyMDAsInNpZ24iOiJcL09uZEF4WUZDZGYwSnBiNDlKREtnbzVoYkJjbzhkS0JRZXVDQm4 4MG9ldz0ifQ==; path=/; Expires=Mon,13-Dec- 21 09:33:55 GMT
{"error_msg":"no csrf token in headers"}
Copy the code

Example of client-side JavaScript: Read cookies using Js-cookie and send requests using AXIos.

const token = Cookie.get('apisix-csrf-token');

const instance = axios.create({
  headers: {'apisix-csrf-token': token}
});
Copy the code

If the token in the Cookie is inconsistent with the token in the request header, the request will be intercepted by the CSRF plug-in, as shown in the following example:

Curl -i http://127.0.0.1:9080/hello - POST - H X 'apisix -- CSRF token: differenteyJyYW5kb20iOjAuNjg4OTcyMzA4ODM1NDMsImV4cGlyZXMiOjcyMDAsInNpZ24iOiJcL09uZEF4WUZDZGYwSnBiNDlKREtnbzVoYkJjbzhkS0J RZXVDQm44MG9ldz0ifQ==' -b 'apisix-csrf-token=eyJyYW5kb20iOjAuNjg4OTcyMzA4ODM1NDMsImV4cGlyZXMiOjcyMDAsInNpZ24iOiJcL09uZEF4WUZDZGYwSnBiNDlKREtnbzVoY KJjbzhkS0JRZXVDQm44MG9ldz0ifQ = = 'HTTP / 1.1 401 Unauthorized Set - cookies: apisix-csrf-token=eyJyYW5kb20iOjAuNjg4OTcyMzA4ODM1NDMsImV4cGlyZXMiOjcyMDAsInNpZ24iOiJcL09uZEF4WUZDZGYwSnBiNDlKREtnbzVoYk JjbzhkS0JRZXVDQm44MG9ldz0ifQ==; path=/; Expires=Mon, 13-Dec-21 09:33:55 GMT {"error_msg":"csrf token mismatch"}Copy the code

Using curl to verify normal access:

curl -i http://127.0.0.1:9080/hello -X POST -H 'apisix-csrf-token: eyJyYW5kb20iOjAuNjg4OTcyMzA4ODM1NDMsImV4cGlyZXMiOjcyMDAsInNpZ24iOiJcL09uZEF4WUZDZGYwSnBiNDlKREtnbzVoYkJjbzhkS0JRZXVDQm44 MG9ldz0ifQ==' -b 'apisix-csrf-token=eyJyYW5kb20iOjAuNjg4OTcyMzA4ODM1NDMsImV4cGlyZXMiOjcyMDAsInNpZ24iOiJcL09uZEF4WUZDZGYwSnBiNDlKREtnbzVoY kJjbzhkS0JRZXVDQm44MG9ldz0ifQ=='
HTTP/1.1 200 OK
Copy the code

The plug-in internally needs to verify whether the token in the Cookie is consistent with the token carried in the request header, and recalculates the signature to verify whether the token is valid.

Disable the plug-in

To disable the CSRF plug-in, remove the configuration information and send a request to update the route.

Curl http://127.0.0.1:9080/apisix/admin/routes/1 - H 'X - API - KEY: edd1c9f034335f136f87ad84b625c8f1 - PUT X - d' {" uri ": "/ hello," "upstream" : {" type ":" roundrobin ", "nodes" : {" 127.0.0.1:1980 ": 1}}} 'Copy the code

conclusion

This article describes the working mode and use method of CSRF plug-in in detail. It is hoped that this article can make you have a clearer understanding of using the plug-in to intercept CSRF attack in Apache APISIX, and facilitate the application in actual scenarios.

mo4tech.com (Moment For Technology) is a global community with thousands techies from across the global hang out!Passionate technologists, be it gadget freaks, tech enthusiasts, coders, technopreneurs, or CIOs, you would find them all here.

How do I use the Apache APISIX CSRF security plug-in to intercept cross-site forgery attacks

The plugin is introduced

How to use

Configure routes for enabling the CSRF plug-in

Send request test

Disable the plug-in

conclusion

How do I use the Apache APISIX CSRF security plug-in to intercept cross-site forgery attacks

The plugin is introduced

How to use

Configure routes for enabling the CSRF plug-in

Send request test

Disable the plug-in

conclusion

Related Posts

Some design tips for Python function interfaces

Docker Usage Guide

51 maps to help you master HTTP from top to bottom!