Cross-site Request Forgery (CSRF) is a cross-site Request Forgery. The key to a cross-site request forgery attack is that the target server cannot tell whether many requests are coming from real users or attackers. The general process of attack is as follows: First, the attacker will induce users to navigate to the web page provided by the attacker. The page contains a request that is automatically sent to the target server. The page then loads normally and the request is automatically sent to the server. From the server’s point of view, this request looks exactly like a normal request sent by the user, but it is initiated by an attacker and the user is unaware of it. Because the request carries some of the user’s credentials, an attacker can obtain user information by parsing these credentials, thus creating security risks.
This article introduces CSRF, the CSRF security plug-in for Apache APISIX, and details how to use the CSRF plug-in in Apache APISIX to secure your API information.
The plugin is introduced
CSRF plug-in is implemented based on Double Submit Cookie scheme. As defined in RFC 7231#section-4.2.1, we refer to GET, HEAD, and OPTIONS as security methods. According to this convention, the CSRF plug-in passes all three methods directly, but checks the other methods and blocks unsafe requests.
To defend against CSRF attacks, we need to make a token or identifier that cannot be forged, and ensure that this is not sent with the attacker’s request. The user needs to carry the token that the CSRF plug-in depends on in the request header, and the token uses the key to calculate the signature. This ensures that the token cannot be forged by others, thus ensuring the security of the API.
After the CSRF plug-in is enabled on a route, all requests to access the route contain cookies containing the CSRF token.
The user needs to carry this Cookie in unsafe requests to the route and add additional fields in the request header to carry the contents of the Cookie. Field is the name value in the plug-in configuration so that the request can pass the verification of the CSRF plug-in.
The user provides a random key in the configuration of the plug-in. The plug-in uses the key to encrypt the token information with sha256 hash and then generates the CSRF token to ensure that the token cannot be forged.
How to use
Configure routes for enabling the CSRF plug-in
Create a route in APISIX using the Admin API and enable the CSRF plug-in:
The curl -i http://127.0.0.1:9080/apisix/admin/routes/1 - H 'X - API - KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d ' { "uri": "/hello", "plugins": { "csrf": { "key": "Edd1c9f034335f136f87ad84b625c8f1}}", "upstream" : {" type ":" roundrobin ", "nodes" : {" 127.0.0.1:9001 ": 1}}} 'Copy the code
There are three configuration items for plug-ins:
key
: Specifies the value of the random key. The user needs to provide a random key.expires
: Optional. Expiration time of the random key. The default value is 7200 seconds. Because the CSRF token is sent to the client using a Cookie, the configuration is placed in the Cookie configuration to control the Cookie expiration time. Time is also calculated internally to determine whether the token has expired.name
: Indicates the CSRF token name. The default value isapisix-csrf-token
.
Send request test
First use a POST request to access the route:
The curl -i - X POST at http://127.0.0.1:9080/helloCopy the code
Apache APISIX intercepts the request and returns a 401 error. In the header returned, you will find that a Cookie is set. If the plug-in’s name field is not configured, the default value inside the Cookie should be apisix-csrF-token =…. . This is the CSRF token generated by the CSRF plug-in. In the request, you need to ensure that the request carries the Cookie and that the token is written in the request header.
HTTP/1.1 401 Unauthorized
Set-Cookie: apisix-csrf-token=eyJyYW5kb20iOjAuNjg4OTcyMzA4ODM1NDMsImV4cGlyZXMiOjcyMDAsInNpZ24iOiJcL09uZEF4WUZDZGYwSnBiNDlKREtnbzVoYkJjbzhkS0JRZXVDQm4 4MG9ldz0ifQ==; path=/; Expires=Mon,13-Dec- 21 09:33:55 GMT
{"error_msg":"no csrf token in headers"}
Copy the code
Example of client-side JavaScript: Read cookies using Js-cookie and send requests using AXIos.
const token = Cookie.get('apisix-csrf-token');
const instance = axios.create({
headers: {'apisix-csrf-token': token}
});
Copy the code
If the token in the Cookie is inconsistent with the token in the request header, the request will be intercepted by the CSRF plug-in, as shown in the following example:
Curl -i http://127.0.0.1:9080/hello - POST - H X 'apisix -- CSRF token: differenteyJyYW5kb20iOjAuNjg4OTcyMzA4ODM1NDMsImV4cGlyZXMiOjcyMDAsInNpZ24iOiJcL09uZEF4WUZDZGYwSnBiNDlKREtnbzVoYkJjbzhkS0J RZXVDQm44MG9ldz0ifQ==' -b 'apisix-csrf-token=eyJyYW5kb20iOjAuNjg4OTcyMzA4ODM1NDMsImV4cGlyZXMiOjcyMDAsInNpZ24iOiJcL09uZEF4WUZDZGYwSnBiNDlKREtnbzVoY KJjbzhkS0JRZXVDQm44MG9ldz0ifQ = = 'HTTP / 1.1 401 Unauthorized Set - cookies: apisix-csrf-token=eyJyYW5kb20iOjAuNjg4OTcyMzA4ODM1NDMsImV4cGlyZXMiOjcyMDAsInNpZ24iOiJcL09uZEF4WUZDZGYwSnBiNDlKREtnbzVoYk JjbzhkS0JRZXVDQm44MG9ldz0ifQ==; path=/; Expires=Mon, 13-Dec-21 09:33:55 GMT {"error_msg":"csrf token mismatch"}Copy the code
Using curl to verify normal access:
curl -i http://127.0.0.1:9080/hello -X POST -H 'apisix-csrf-token: eyJyYW5kb20iOjAuNjg4OTcyMzA4ODM1NDMsImV4cGlyZXMiOjcyMDAsInNpZ24iOiJcL09uZEF4WUZDZGYwSnBiNDlKREtnbzVoYkJjbzhkS0JRZXVDQm44 MG9ldz0ifQ==' -b 'apisix-csrf-token=eyJyYW5kb20iOjAuNjg4OTcyMzA4ODM1NDMsImV4cGlyZXMiOjcyMDAsInNpZ24iOiJcL09uZEF4WUZDZGYwSnBiNDlKREtnbzVoY kJjbzhkS0JRZXVDQm44MG9ldz0ifQ=='
HTTP/1.1 200 OK
Copy the code
The plug-in internally needs to verify whether the token in the Cookie is consistent with the token carried in the request header, and recalculates the signature to verify whether the token is valid.
Disable the plug-in
To disable the CSRF plug-in, remove the configuration information and send a request to update the route.
Curl http://127.0.0.1:9080/apisix/admin/routes/1 - H 'X - API - KEY: edd1c9f034335f136f87ad84b625c8f1 - PUT X - d' {" uri ": "/ hello," "upstream" : {" type ":" roundrobin ", "nodes" : {" 127.0.0.1:1980 ": 1}}} 'Copy the code
conclusion
This article describes the working mode and use method of CSRF plug-in in detail. It is hoped that this article can make you have a clearer understanding of using the plug-in to intercept CSRF attack in Apache APISIX, and facilitate the application in actual scenarios.