Option for disabling XSRF-Token for PCI-DSS Compliance

[ulc-brian]

We utilize the Laravel Framework for many of our e-commerce websites. Annually we have to review all of our systems by penetration testers who analyze everything and provide recommendations or requirements before we can be fully compliant with the PCI-DSS Standards. One such issue that has been brought up this year is the use of the XSRF-Token which is stored in an encrypted cookie and contains a CSRF token. The purpose of this cookie is for use with JavaScript Frameworks which can be convenient. However, our penetration testers are requiring that this cookie be disabled as it is against OWASP standards. Our penetration testers have said:

A CSRF token was detected in cookies dispensed by the web application. CSRF tokens (anti-cross-site request forgery tokens) are designed to prevent external, malicious sites from initiating actions on behalf of your users if your users visit them whilst logged in. These tokens should therefore belong, random and regenerated for each request. Storing CSRF tokens in cookies is dangerous, as it renders them ineffective and causes them to be re-used across multiple requests.

References:
https://security.stackexchange.com/questions/32761/storing-anti-csrf-token-in-cookie
https://owasp.org/www-community/Anti_CRSF_Tokens_ASP-NET
https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#javascript-guidance-for-auto-inclusion-of-csrf-tokens-as-an-ajax-request-header

A CSRF token can be included in the <meta> tag as shown below. All subsequent calls in the page can extract the CSRF token from this <meta> tag. It can also be stored in a JavaScript variable or anywhere on the DOM. However, it is not recommended to store it in cookies or browser local storage.

Their recommendation is to simply have the Javascript frameworks utilize the information that is stored in the meta csrf-token tag as that seems to be an acceptable and secure practice.

With that said, I understand the convenience of this and I also understand many are not having to worry about PCI-DSS compliance. I think it would be useful to have a simple mechanism in place where we can disable or enable XSRF-Token cookies. Either that or completely scrap the use of it if you want Laravel to follow OWASP guidelines which PCI-DSS Standards look at, and probably others like SOC 2, HIPAA and so forth.

For now we will simply extend the framework, but I am willing to bet others who have to PCI-DSS Compliance to worry about may have to do something similar. Thus a setting like that may be useful for other users of the Laravel Framework.

[ulc-brian]

I should note that extending is rather easy to resolve this, but might be more appropriate as part of the configuration which a description about the security implications and PCI-DSS. To disable this cookie from being set, in the VerifyCsrfToken middleware:

protected $addHttpCookie = false;

Will disable this cookie from being set.

However, it does not prevent the code from looking for that X-XSRF-TOKEN on every request. Thus if it is set (or set previously before you disabled the cookie), or if someone were to fake it, it will still try to use it. Ideally that getTokenFromRequest would consider the value of $this->shouldAddXsrfTokenCookie() before attempting to read X-XSRF-TOKEN. The fact this is all encrypted makes it rather difficult to abuse in my opinion though.