Need

Secure transmission of sensitive information in session tokens

Context

• Usage of Python 3 for programming and scripting
• Usage of Django for building web applications in Python

Description

Non compliant code

        from django.http import HttpResponseRedirect

def send_token(request):
    token = request.session['jwt_token']
    redirect_url = "/dashboard?token=" + token
    return HttpResponseRedirect(redirect_url)
        
        

In the above code, the JWT token is obtained from the session and then appended to the URL as a parameter. This is done in the send_token function, which is likely to be a view function in a Django application.

When this function is called, it gets the JWT token from the session: token = request.session['jwt_token'].

Then, it creates a URL for the redirect, appending the token as a parameter: redirect_url = "/dashboard?token=" + token.

Finally, it returns a HttpResponseRedirect to the constructed URL: return HttpResponseRedirect(redirect_url).

The problem with this code is that the JWT token, which is sensitive information, is sent via the URL. This means that it will be stored in the browsing history and could potentially be accessed by an attacker with access to the machine. This is a serious security vulnerability, as it could allow an attacker to impersonate a user if they get hold of their JWT token.

It's also worth noting that URLs can be logged in various places (like browser history, network appliances that make a point of logging the first line of an HTTP request, and in the 'referrer' header when navigating to another site), making it even riskier to include sensitive data in the URL.

Steps

• Instead of sending the JWT token via URL parameters, store it in a secure HTTP only cookie.
• Use Django's built-in sessions framework to manage user sessions securely.
• Ensure that the secure flag is set on the cookie to prevent transmission over unencrypted connections.
• Set the HttpOnly flag to prevent access to the cookie from client-side scripts, reducing the risk of XSS attacks.
• Use the SameSite attribute to prevent the cookie from being sent in cross-site requests, reducing the risk of CSRF attacks.

Compliant code

        from django.http import HttpResponseRedirect

def send_token(request):
    token = request.session['jwt_token']
    response = HttpResponseRedirect("/dashboard")
    response.set_cookie(
        'jwt_token', 
        token, 
        secure=True, 
        httponly=True, 
        samesite='Strict'
    )
    return response
        
        

The updated code now stores the JWT token in a secure HTTP only cookie instead of sending it via URL parameters. This is done using Django's built-in set_cookie method on the HttpResponseRedirect object.

The set_cookie method is used to set the 'jwt_token' cookie to the value of the JWT token. The secure parameter is set to True to ensure that the cookie is only sent over HTTPS, preventing the token from being transmitted over unencrypted connections.

The httponly parameter is set to True to prevent the cookie from being accessed by client-side scripts. This reduces the risk of XSS (Cross-Site Scripting) attacks where an attacker might try to access the token through JavaScript.

The samesite parameter is set to 'Strict' to prevent the cookie from being sent in cross-site requests. This reduces the risk of CSRF (Cross-Site Request Forgery) attacks where an attacker might try to trick a user into performing an action they did not intend to.

By making these changes, the JWT token is now stored and transmitted more securely, reducing the risk of it being intercepted or accessed by attackers.

References

• 276. Sensitive information sent via URL parameters - Session