This documentation is for WSO2 Carbon 4.4.1. View documentation for the latest release.
Mitigating Cross Site Request Forgery (CSRF) Attacks - Carbon 4.4.1 - WSO2 Documentation
Due to a known issue do not use JDK1.8.0_151 with WSO2 products. Use JDK 1.8.0_144 until JDK 1.8.0_162-ea is released.
Skip to end of metadata
Go to start of metadata

The following sections describe the impact of the CSRF attack and the approaches you can use to mitigate it.

How can CSRF attacks be harmful? 

Cross Site Request Forgery (CSRF) attacks are used to trick users into sending a malicious request, forcing the user to execute unwanted actions on a web browser where they are already authenticated. The session in which the user has logged in to the web application on the browser is used to bypass the authentication step during this attack; therefore, it is also known as "session riding". This means that if the user is currently authenticated on the website already, the site or application has no way of distinguishing between a forged request and a legitimate request. 

The attack includes maliciously tricking the user into clicking a URL or HTML content, which consequently sends a request to the website. For example:

  • The user sends a request to an online banking application to transfer $100 to another bank account.
  • An example URL, including the parameters (account number and transfer amount), for this request is similiar to the following:
  • The attacker uses the same URL with a different account number in place of the actual account number and disguises this URL by including it in a clickable image and sending it to the user in an email with other content. 
  • The user may unknowingly click on this URL, which sends a transfer request to the bank. 

Mitigating CSRF attacks

You can use the following approaches to mitigate CSRF attacks.

Mitigating using the CSRF Valve 

The CSRF Valve acts as a filter to differentiate between the malicious requests from the legitimate requests by checking the source of the request. The <Whitelist> tag includes a list of sources that are associated with legitimate requests so that the Valve can check the referrer header in order to validate whether the request is coming from a server included in the white list. 

Configuring the CSRF Valve
  1. Add the following code snippet within the <Security> element of the <PRODUCT_HOME>/repository/conf/carbon.xml file.

                    <Enabled>true</Enabled> <!--Enable/Disable CSRF prevention-->
                    <!--URL Pattern to skip the CSRF prevention-->
                    <!--List of URL to allow as source to access the system-->
  2. Edit the <Whitelist> element of the code snippet above by adding the relevant list of URLs that are approved sources.

  3.  Add the following configuration within the <Hosts> element of the <PRODUCT_HOME>/repository/conf/tomcat/catalina-server.xml file.

    <Valve className="org.wso2.carbon.ui.valve.CSRFValve"/>
  4. Restart the product server.

Mitigating using the CSRF Filter

The CSRF Filter uses the Synchronizer Token Pattern to mitigate CSRF attacks. It adds a randomly generated token as a hidden parameter to HTML forms that perform the HTTP POST function. The token validation is enforced to HTTP POST requests as well.

Configuring the CSRF Filter
  1. Add the configuration seen below accordingly to enable the filter:
    • To enable the filter only to the Management Console: add it to the <PRODUCT_HOME>/repository/conf/tomcat/carbon/WEB-INF/web.xml file.
    • To enable the filter to any other web app that has access to the Carbon runtime: add it to the <WEB_APP_HOME>/WEB-INF/web.xml file.
  2. Add the following code within the <Security> element of the <PRODUCT_HOME>/repository/conf/carbon.xml file.

    The <SkipUrlPattern> element defines the URL pattern to skip CSRF protection. Thereby, any URL matching this pattern will not be validated for the CSRF token.

    <!-- CSRFPreventionFilter configurations that adopts Synchronizer Token Pattern -->
    <!-- Set below to true to enable the CSRFPreventionFilter -->
    <!-- Url Pattern to skip application of CSRF protection-->
  3. Restart the product server.

  • No labels