Mitigating Cross Site Request Forgery (CSRF) Attacks
The following sections describe the impact of the CSRF attack and the approaches you can use to mitigate it.
How can CSRF attacks be harmful?
Cross Site Request Forgery (CSRF) attacks are used to trick users into sending a malicious request, forcing the user to execute unwanted actions on a web browser where they are already authenticated. The session in which the user has logged in to the web application on the browser is used to bypass the authentication step during this attack; therefore, it is also known as "session riding". This means that if the user is currently authenticated on the website already, the site or application has no way of distinguishing between a forged request and a legitimate request.
The attack includes maliciously tricking the user into clicking a URL or HTML content, which consequently sends a request to the website. For example:
- The user sends a request to an online banking application to transfer $100 to another bank account.
- An example URL, including the parameters (account number and transfer amount), for this request is similiar to the following: https://bank.com/transfer.do?acct=10220048&amount=100000.
- The attacker uses the same URL with a different account number in place of the actual account number and disguises this URL by including it in a clickable image and sending it to the user in an email with other content.
- The user may unknowingly click on this URL, which sends a transfer request to the bank.
Mitigating CSRF attacks
You can use the following approaches to mitigate CSRF attacks.
Mitigating using the CSRF Valve
The CSRF Valve acts as a filter to differentiate between the malicious requests from the legitimate requests by checking the source of the request. The <Whitelist>
tag includes a list of sources that are associated with legitimate requests so that the Valve can check the referrer header in order to validate whether the request is coming from a server included in the white list.
Configuring the CSRF Valve
Add the following code snippet within the
<Security>
element of the<PRODUCT_HOME>/repository/conf/carbon.xml
file.<CSRFPreventionConfig> <Enabled>true</Enabled> <!--Enable/Disable CSRF prevention--> <Rule>allow</Rule> <!--URL Pattern to skip the CSRF prevention--> <Patterns> <Pattern>commonauth</Pattern> <Pattern>samlsso</Pattern> <Pattern>authenticationendpoint</Pattern> <Pattern>wso2</Pattern> <Pattern>oauth2</Pattern> <Pattern>openid</Pattern> <Pattern>openidserver</Pattern> <Pattern>passivests</Pattern> <Pattern>services</Pattern> </Patterns> <!--List of URL to allow as source to access the system--> <WhiteList> <Url>https://localhost:9443</Url> </WhiteList> </CSRFPreventionConfig>
Edit the
<Whitelist>
element of the code snippet above by adding the relevant list of URLs that are approved sources.Add the following configuration within the
<Hosts>
element of the<PRODUCT_HOME>/repository/conf/tomcat/catalina-server.xml
file.<Valve className="org.wso2.carbon.ui.valve.CSRFValve"/>
Restart the product server.
Mitigating using the CSRF Filter
The CSRF Filter uses the Synchronizer Token Pattern to mitigate CSRF attacks. It adds a randomly generated token as a hidden parameter to HTML forms that perform the HTTP POST function. The token validation is enforced to HTTP POST requests as well.
Configuring the CSRF Filter
- Add the configuration seen below accordingly to enable the filter:
- To enable the filter only to the Management Console: add it to the
<PRODUCT_HOME>/repository/conf/tomcat/carbon/WEB-INF/
web.xml
file. - To enable the filter to any other web app that has access to the Carbon runtime: add it to the
<WEB_APP_HOME>/
WEB-INF/web.xml
file.
<web-app> ... <filter> <filter> <filter-name>CSRFPreventionFilter</filter-name> <filter-class>org.wso2.carbon.ui.filters.CSRFPreventionFilter</filter-class> </filter> <filter-mapping> <filter-name>CRLFPreventionFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> ... <web-app>
- To enable the filter only to the Management Console: add it to the
Add the following code within the
<Security>
element of the<PRODUCT_HOME>/repository/conf/
carbon.xml
file.The
<SkipUrlPattern>
element defines the URL pattern to skip CSRF protection. Thereby, any URL matching this pattern will not be validated for the CSRF token.<Server> ... <Security> ... <CSRFPreventionConfig> <!-- CSRFPreventionFilter configurations that adopts Synchronizer Token Pattern --> <CSRFPreventionFilter> <!-- Set below to true to enable the CSRFPreventionFilter --> <Enabled>true</Enabled> <!-- Url Pattern to skip application of CSRF protection--> <SkipUrlPattern>(.)(/images|/css|/js|/docs)(.)</SkipUrlPattern> </CSRFPreventionFilter> </CSRFPreventionConfig> ... </Security> ... </Server>
Restart the product server.