...
- The user sends a request to an online banking application to transfer $100 to another bank account.
- An example URL, including the parameters (account number and transfer amount), for this request, is similiar similar to the following: https://bank.com/transfer.do?acct=10220048&amount=100000.
- The attacker uses the same URL with a different account number in place of the actual account number and disguises this URL by including it in a clickable image and sending it to the user in an email with other content.
- The user may unknowingly click on this URL, which sends a transfer request to the bank.
...
Add the following code snippet within the
<Security>element of the<PRODUCT_HOME>/repository/conf/carbon.xmlfile.Code Block language xml <CSRFPreventionConfig> <CSRFValve> <Enabled>true</Enabled> <Enabled>true</Enabled> <!--Enable/Disable CSRF prevention--> <Rule>allow</Rule> <!--URL Pattern to skip the CSRF prevention--> <Patterns> <Pattern>commonauth</Pattern> <Pattern>samlsso</Pattern> <Pattern>authenticationendpoint</Pattern> <Pattern>wso2</Pattern> <Pattern>oauth2</Pattern> <Pattern>openid</Pattern> <Pattern>openidserver</Pattern> <Pattern>passivests</Pattern> <Pattern>services</Pattern> </Patterns> <!--List of URL to allow as source to access the system--> <WhiteList> <Url>https://localhost:9443</Url> </WhiteList> </WhiteList>CSRFValve> </CSRFPreventionConfig>
Edit the
<Whitelist>element of the code snippet above by adding the relevant list of URLs that are approved sources.Add the following configuration within the
<Hosts><Host>element of the<PRODUCT_HOME>/repository/conf/tomcat/catalina-server.xmlfile.Code Block language xml <Valve className="org.wso2.carbon.ui.valve.CSRFValve"/>
Restart the product server.
...
- Add the configuration seen below accordingly to enable the filter:
- To enable the filter only to the Management Console: add it to the
<PRODUCT_HOME>/repository/conf/tomcat/carbon/WEB-INF/web.xmlfile. - To enable the filter to any other web app that has access to the Carbon runtime: add it to the
<WEB_APP_HOME>/WEB-INF/web.xmlfile.
Code Block language xml <web-app> ... <filter> <filter> <filter-name>CSRFPreventionFilter</filter-name> <filter-class>org.wso2.carbon.ui.filters.CSRFPreventionFilter</filter-class> </filter> <filter-mapping> <filter-name>CRLFPreventionFilter<name>CSRFPreventionFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> ... <web-app>
- To enable the filter only to the Management Console: add it to the
Add the following code within the
<Security>element of the<PRODUCT_HOME>/repository/conf/carbon.xmlfile.Info The
<SkipUrlPattern>element defines the URL pattern to skip CSRF protection. Thereby, any URL matching this pattern will not be validated for the CSRF token.Code Block language xml <Server> ... <Security> ... <CSRFPreventionConfig> <!-- CSRFPreventionFilter configurations that adopts Synchronizer Token Pattern --> <CSRFPreventionFilter> <!-- Set below to true to enable the CSRFPreventionFilter --> <Enabled>true</Enabled> <!-- Url Pattern to skip application of CSRF protection--> <SkipUrlPattern>(.)(/images|/css|/js|/docs)(.)</SkipUrlPattern> </CSRFPreventionFilter> </CSRFPreventionConfig> ... </Security> ... </Server>
Restart the product server.