Does CSRF exist in pure rest api without UI?

Question

I don't know much about CSRF, but after reading the doc, it seems it only happens in browser. So now I have a library with rest api, but no ui. Do I need to take care of CSRF in this rest api ? Thanks

Answer 1

First of all, it's important to note that CSRF is an attack that can be exploited in browers.

According to Guidelines for Implementation of REST, a document issued by NSA, REST APIs are vulnerable to CSRF attacks:

F. Cross Site Request Forgery:

Cross site request forgery (CSRF) attacks attempt to force an authenticated user to execute functionality without their knowledge. [...]

It is important to note that CSRF attacks execute functionality, but are unable to interact with the response from the targeted server. [...]

REST is stateless at its core and thus inherently vulnerable to CSRF attacks. [...]

Two approaches are suggested to ensure protection. Summarizing them below:

Custom HTTP header

The first method involves checking the presence of a custom header (agreed-upon between the server and a client – e.g. X-CSRF or X-Requested-By) in all state-changing requests coming from the client. The value of the header does not really matter. It works, because the browser would not send custom headers unless the web page makes a request using XMLHttpRequest, which only allows requests to the same site.

This method is currently used by Jersey, the JAX-RS reference implementation for REST web services in Java.

And it's also mentioned in Robust Defenses for Cross-Site Request Forgery from Stanford University.

CSRF tokens

The second method involves protecting REST endpoints against CSRF attacks by establishing session state. This approach violates REST principles and involves the use of a CSRF token that is generated for each action, then associated with the user session and submitted with each important website action.

This essentially forces a sequential ordering of actions on the application.