Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Table of Contents
maxLevel3

How can CSRF attacks be harmful? 

Cross Site Request Forgery (CSRF) attacks are used to trick users into sending a malicious request, forcing the user to execute unwanted actions on a web browser where they are already authenticated. The session in which the user has logged in to the web application on the browser is used to bypass the authentication step during this attack; therefore, it is also known as "session riding". This means that if the user is currently authenticated on the website already, the site or application has no way of distinguishing between a forged request and a legitimate request. 

...

  • The user sends a request to an online banking application to transfer $100 to another bank account.
  • An example URL, including the parameters (account number and transfer amount), for this request is similiar to the following: https://bank.com/transfer.do?acct=10220048&amount=100000.
  • The attacker uses the same URL with a different account number in place of the actual account number and disguises this URL by including it in a clickable image and sending it to the user in an email with other content. 
  • The user may unknowingly click on this URL, which sends a transfer request to the bank. 

Mitigating CSRF attacks

You can use the following approaches to mitigate CSRF attacks.

Table of Contents
maxLevel4
minLevel4

Mitigating using the CSRF Valve 

The CSRF Valve acts as a filter to differentiate between the malicious requests from the legitimate requests by checking the source of the request. The <Whitelist> tag includes a list of sources that are associated with legitimate requests so that the Valve can check the referrer header in order to validate whether the request is coming from a server included in the white list. 

Configuring the CSRF Valve
  1. Add the following code snippet within the <Security> element of the <PRODUCT_HOME>/repository/conf/carbon.xml file.

    Code Block
    languagexml
    <CSRFPreventionConfig>
                    <Enabled>true</Enabled> <!--Enable/Disable CSRF prevention-->
                    <Rule>allow</Rule>
    
                    <!--URL Pattern to skip the CSRF prevention-->
                    <Patterns>
                            <Pattern>commonauth</Pattern>
                            <Pattern>samlsso</Pattern>
                            <Pattern>authenticationendpoint</Pattern>
                            <Pattern>wso2</Pattern>
                            <Pattern>oauth2</Pattern>
                            <Pattern>openid</Pattern>
                            <Pattern>openidserver</Pattern>
                            <Pattern>passivests</Pattern>
                            <Pattern>services</Pattern>
                    </Patterns>
    
                    <!--List of URL to allow as source to access the system-->
                    <WhiteList>
                            <Url>https://localhost:9443</Url>
                    </WhiteList>
    </CSRFPreventionConfig>
  2. Edit the <Whitelist> element of the code snippet above by adding the relevant list of URLs that are approved sources.

  3.  Add the following configuration within the <Hosts> element of the <PRODUCT_HOME>/repository/conf/tomcat/catalina-server.xml file.

    Code Block
    languagexml
    <Valve className="org.wso2.carbon.ui.valve.CSRFValve"/>
  4. Restart the product server.

Mitigating using the CSRF Filter

The CSRF Filter uses the Synchronizer Token Pattern to mitigate CSRF attacks. It adds a randomly generated token as a hidden parameter to HTML forms that perform the HTTP POST function. The token validation is enforced to HTTP POST requests as well.

Configuring the CSRF Filter
  1. Add the configuration seen below accordingly to enable the filter:
    • To enable the filter only to the Management Console: add it to the <PRODUCT_HOME>/repository/conf/tomcat/carbon/WEB-INF/web.xml file.
    • To enable the filter to any other web app that has access to the Carbon runtime: add it to the <WEB_APP_HOME>/WEB-INF/web.xml file.
    Code Block
    languagexml
    <web-app>
    ...
    <filter>
    <filter>
    <filter-name>CSRFPreventionFilter</filter-name>
    <filter-class>org.wso2.carbon.ui.filters.CSRFPreventionFilter</filter-class>
    </filter>
    <filter-mapping>
    <filter-name>CRLFPreventionFilter</filter-name>
    <url-pattern>/*</url-pattern>
    </filter-mapping>
    ...
    <web-app>
  2. Add the following code within the <Security> element of the <PRODUCT_HOME>/repository/conf/carbon.xml file.

    Info

    The <SkipUrlPattern> element defines the URL pattern to skip CSRF protection. Thereby, any URL matching this pattern will not be validated for the CSRF token.

    Code Block
    languagexml
    <Server>
    ...
    <Security>
    ...
    <CSRFPreventionConfig>
    <!-- CSRFPreventionFilter configurations that adopts Synchronizer Token Pattern -->
    <CSRFPreventionFilter>
    <!-- Set below to true to enable the CSRFPreventionFilter -->
    <Enabled>true</Enabled>
    <!-- Url Pattern to skip application of CSRF protection-->
    <SkipUrlPattern>(.)(/images|/css|/js|/docs)(.)</SkipUrlPattern>
    </CSRFPreventionFilter>
    </CSRFPreventionConfig>
    ...
    </Security>
    ...
    </Server>
  3. Restart the product server.