What is CSRF?
Cross-Site Request Forgery (CSRF)is a hidden attack that contains a malicious request. This is in top web vulnerabilities list because, the malicious request carries the identity, privileges, information and permissions of the victim to perform an proxy request on the victim's behalf. This can attack can be performed for any kind of operations like updating sensitive\confidential information, purchase something, transfer money etc.
More about CSRF
Prevention Measures
To prevent CSRF attack a general recommendation to use Synchronizer Token Pattern, which suggest to include a random token with all form actions and links associated to confidential server action/operations.
One random token should be generated for each session and must be stored in the session itself. On each incoming request, server must verify the existence and validity against the token stored in current session.
In case of token is not exist in the request or invalid, request must be aborted, token must be reset and incidence must be logged as a CSRF attack.
CSRF Prevention Mechanism in Liferay
Portal Authentication token mechanism is created to prevent CSRF attacks. This mechanism will include a parameter called p_auth containing random token in every action request.
Enable/Disable authentication token checking in portal
As this is a portal level setting, authentication token checking can be enabled or disabled by adding below property in portal properties.
Setting Authentication Token Class
Custom authentication token class can be implemented to handle and avoid CSRF attacks. Custom authentication class must implement com.liferay.portal.security.auth.AuthToken.
com.liferay.portal.security.auth.SessionAuthToken is the default impelementation available in Liferay.
The class can be registered to portal context by adding below property in portal properties.
Ignoring actions/portlets from token authentication check
A list of comma delimited struts actions or portlet ids can set to ignore authentication token check on them.
List of struts actions can be set by adding below property in portal properties.
List of portlet ids can be set by adding below property in portal properties.
Individual portlets can be ignored by adding below init parameter in portlet.xml
Enjoy and Stay Protected.
Cross-Site Request Forgery (CSRF)is a hidden attack that contains a malicious request. This is in top web vulnerabilities list because, the malicious request carries the identity, privileges, information and permissions of the victim to perform an proxy request on the victim's behalf. This can attack can be performed for any kind of operations like updating sensitive\confidential information, purchase something, transfer money etc.
More about CSRF
Prevention Measures
To prevent CSRF attack a general recommendation to use Synchronizer Token Pattern, which suggest to include a random token with all form actions and links associated to confidential server action/operations.
One random token should be generated for each session and must be stored in the session itself. On each incoming request, server must verify the existence and validity against the token stored in current session.
In case of token is not exist in the request or invalid, request must be aborted, token must be reset and incidence must be logged as a CSRF attack.
CSRF Prevention Mechanism in Liferay
Portal Authentication token mechanism is created to prevent CSRF attacks. This mechanism will include a parameter called p_auth containing random token in every action request.
Enable/Disable authentication token checking in portal
As this is a portal level setting, authentication token checking can be enabled or disabled by adding below property in portal properties.
auth.token.check.enabled=true
Setting Authentication Token Class
Custom authentication token class can be implemented to handle and avoid CSRF attacks. Custom authentication class must implement com.liferay.portal.security.auth.AuthToken.
com.liferay.portal.security.auth.SessionAuthToken is the default impelementation available in Liferay.
The class can be registered to portal context by adding below property in portal properties.
auth.token.impl=com.liferay.portal.security.auth.SessionAuthToken
Ignoring actions/portlets from token authentication check
A list of comma delimited struts actions or portlet ids can set to ignore authentication token check on them.
List of struts actions can be set by adding below property in portal properties.
auth.token.ignore.actions=\
/blogs/edit_entry,\
/blogs/edit_entry_discussion,\
/blogs/rss
List of portlet ids can be set by adding below property in portal properties.
auth.token.ignore.portlets=82,87
Individual portlets can be ignored by adding below init parameter in portlet.xml
check-auth-token false
Enjoy and Stay Protected.
Excellent focus on authentication part.
ReplyDeleteCan you please explain more about how to test the application also ?
Your blog has given me that thing which I never expect to get from all over the websites. Nice post guys!
ReplyDeleteMelbourne Mobile Developer