Spring CSRF workflow: header X-XSRF-TOKEN and Cookie XSRF-TOKEN both set with any identical value triggers API instead of returning 403 Forbidden

Affects: spring-boot-dependencies 2.3.4.RELEASE

I agree that Cookie XSRF-TOKEN is set by the server and is not meant to be set on the client side, but...

Functional description

I would expect that when I set any wrong identical value on client side for both header X-XSRF-TOKEN and Cookie XSRF-TOKEN then API would not be reached and that instead Spring would return 403 Forbidden, because the value is different from the CSRF token stored for current session on the server side.

Here I can reach the endpoint if I set both header X-XSRF-TOKEN and Cookie XSRF-TOKEN to whatever-value using Postman:

Spring CSRF workflow: header X-XSRF-TOKEN and Cookie XSRF-TOKEN both set with any identical value triggers API instead of returning 403 Forbidden

You see on the left of screenshot behind Postman Sending request... that the only value that should trigger the endpoint is ab87abbd-0596-4fcc-93b7-3d31aca6b44a.

Configuration

I'm testing CSRF with this kind of setting:

@Override
protected void configure(HttpSecurity http) throws Exception {
    http
    .csrf()
        .requireCsrfProtectionMatcher(
            new AndRequestMatcher(
                CsrfFilter.DEFAULT_CSRF_MATCHER, 
                new RegexRequestMatcher(".*greeting-csrf.*", null)
            )
        )
        .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
    .and()
        .sessionManagement()
        .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
    ;
}
[...]
@RequestMapping(
    method = { RequestMethod.GET, RequestMethod.POST },
    path = "/greeting-csrf",
    consumes = { MediaType.APPLICATION_FORM_URLENCODED_VALUE, MediaType.TEXT_PLAIN_VALUE }
)
public Greeting greetingCsrf(HttpServletRequest request) throws IOException { ... }

Nominal workflow is that on the first connection I get the value ab87...b44a from Cookie XSRF-TOKEN coming from the server. Then I set header X-XSRF-TOKEN or parameter _csrf to value ab87...b44a, and Spring triggers correctly the endpoint. And if I put any other value then Spring returns correctly 403 Forbidden.

But setting Cookie XSRF-TOKEN on the client with any identical value to header X-XSRF-TOKEN appears to trigger the endpoint too.

Comment From: bclozel

This issue tracker is for Spring Framework issues only. Could you create this issue against the Spring Security issue tracker here: https://github.com/spring-projects/spring-security/issues

Thanks!

Comment From: ron190

Sure, issue opened on Spring Security: https://github.com/spring-projects/spring-security/issues/9149