The following sections describe the impact of the CSRF attack and the approaches you can use to mitigate it.
|Table of Contents|
How can CSRF attacks be harmful?
Cross Site Request Forgery (CSRF) attacks are used to trick users into sending trick you to send a malicious request, by forcing the user you to execute unwanted actions on a web browser where they are already authenticated. The session in which the user has logged in to the web application on the browser is used to bypass the authentication step during this attack; therefore, it is also known as "session riding". This means that if the user is currently authenticated on the website already, the site or application has no way of distinguishing between a forged request and a legitimate request.
The attack includes maliciously tricking the user into clicking a URL or HTML content, which consequently sends a request to the website. For example:
- The user sends a request to an online banking application to transfer $100 to another bank account.
- An example URL, including the parameters (account number and transfer amount), for this request, is similar to the following: .
- The attacker uses the same URL with a different account number in place of the actual account number and disguises this URL by including it in a clickable image and sending it to the user in an email with other content.
- The user may unknowingly click on this URL, which sends a transfer request to the bank.
Mitigating CSRF attacks
You can use the following approaches to mitigate CSRF attacks.
|Table of Contents|
Mitigating using the CSRF Valve
The CSRF Valve acts as a filter to differentiate between the malicious requests from the legitimate requests by checking the source of the request. The
<Whitelist> tag includes a list of sources that are associated with legitimate requests so that the Valve can check the referrer header in order to validate whether the request is coming from a server included in the white list.
Configuring the CSRF Valve
Add the following code snippet within the
<Security>element of the
Code Block language xml
<CSRFPreventionConfig> <CSRFValve> <Enabled>true</Enabled> <!-Enable/Disable CSRF prevention-> <Rule>allow</Rule> <!--URL Pattern to skip the CSRF prevention--> <Patterns> <Pattern>commonauth</Pattern> <Pattern>samlsso</Pattern> <Pattern>authenticationendpoint</Pattern> <Pattern>wso2</Pattern> <Pattern>oauth2</Pattern> <Pattern>openid</Pattern> <Pattern>openidserver</Pattern> <Pattern>passivests</Pattern> <Pattern>services</Pattern> </Patterns> <!--List of URL to allow as source to access the system--> <WhiteList> <Url>https://localhost:9443</Url> </WhiteList> </CSRFValve> </CSRFPreventionConfig>
<Whitelist>element of the code snippet above by adding the relevant list of URLs that are approved sources.
Add the following configuration within the
<Hosts>element of the
Code Block language xml
Restart the product server.
Mitigating using the CSRF Filter
The CSRF Filter uses the Synchronizer Token Pattern to mitigate CSRF attacks. It adds a randomly generated token as a hidden parameter to HTML forms that perform the HTTP POST function. The token validation is enforced to HTTP POST requests as well.
Configuring the CSRF Filter
- To enable the filter only to the Management Console: add it to the
- To enable the filter to any other web app that has access to the Carbon runtime: add it to the
<web-app> ... <filter> <filter> <filter-name>CSRFPreventionFilter</filter-name> <filter-class>org.wso2.carbon.ui.filters.CSRFPreventionFilter</filter-class> </filter> <filter-mapping> <filter-name>CSRFPreventionFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> ... <web-app>
Add the following code within the
<Security> element of the
<Server> ... <Security> ... <CSRFPreventionConfig> <!-- CSRFPreventionFilter configurations that adopts Synchronizer Token Pattern --> <CSRFPreventionFilter> <!-- Set below to true to enable the CSRFPreventionFilter --> <Enabled>true</Enabled> <!-- Url Pattern to skip application of CSRF protection--> <SkipUrlPattern>(.)(/images|/css|/js|/docs)(.)</SkipUrlPattern> </CSRFPreventionFilter> </CSRFPreventionConfig> ... </Security> ... </Server>
an already authenticated web browser.
For information on how CSRF attacks can be harmful, and how you can mitigate CSRF attacks when you use WSO2 products, see Mitigating Cross Site Request Forgery Attacks in the WSO2 product administration guide.