Skip to main content
Version: 7.8

CSRF

Introduction

CSRF stands for Cross-Site Request Forgery (CSRF), Resolve Actions Pro uses OWASP CSRFGuard Project to mitigate CSRF attacks.

Even though HTTP POST method is the most vulnerable, since it changes state of the system, it needs to be protected against CSRF attacks. Actions Pro protects HTTP GET method as well against CSRF attacks.

Actions Pro stores and can display action task results as part of wikis. Action task results may contain sensitive data which needs to be protected against CSRF attacks, when wikis are accessed using HTTP GET request.

Explanation of CSRF guard.properties

For more information, you can read CSRFGuard Configuration.

What is New

Since Actions Pro v6.4 we no longer override custom CSRF settings. We recommend you NOT to do any changes directly in the csrfguard.properties file, but to make the changes in the blueprint.properties file, and then we recommend you to run config.sh to migrate your changes in the csrfguard.properties file.  Make sure you add a new row in the blueprint.properties file for each new csrfguard.properties property.

They need to look like the following example:

Example

#List of additional values for csrfguard.properties
#Add additional values by copying this property and incrementing the .N count
#Values must be in the form of <Key>=<URL>
#Additional Settings after .1 may be at bottom of blueprint in the custom section
rsview.csrfguard.unprotected.1=WikiDownload=/resolve/service/wiki/download/*
rsview.csrfguard.unprotected.2=ServiceExecute=/resolve/service/execute
rsview.csrfguard.unprotected.3=MyCustomRule=/resolve/service/custompath

Location of the File

The file is located under <installation folder\>/tomcat/webapps/resolve/WEB-INF/csrfguard.properties.

What is This File About

Csrfguard.properties is used to configure OWASP CSRF Guard Project implementation used by Actions Pro to mitigate CSRF attacks. Csrfguard.properties is in standard java properties file format which is name=value.

It provided options to customize CSRF Guard to customer specific needs such as whitelisting,  i.e. allowing access to certain URLs which are safe to be accessed without protection. For example help page URLs or “Logins” or any other page which requests authentication. It also configures some default actions such as HTTP error code to display to the user, in case of attack, and logs to generate listing attack vectors from request.

The following sections describe what is whitelisted, and what is blacklisted in csrfguard.properties.

What is Whitelisted -  Not Protected Against CSRF Attack

The following URLs are whitelisted by default, as they are landing pages, for example, user gets access to rest of the system only after successful authentication.

  •     org.owasp.csrfguard.unprotected.Root=/resolve/
  •     org.owasp.csrfguard.unprotected.ClientLogin=/resolve/service/client/login
  •     org.owasp.csrfguard.unprotected.Login=/resolve/service/login
  •     org.owasp.csrfguard.unprotected.Logout=/resolve/service/logout
  •     org.owasp.csrfguard.unprotected.ColorTheme=/resolve/service/client/getDefaultColorTheme
  •     org.owasp.csrfguard.unprotected.getLoginScreenDisplayInfo=/resolve/service/client/getLoginScreenDisplayInfo
  •     org.owasp.csrfguard.unprotected.PasswordRecovery=/resolve/service/passwordRecovery2
  •     org.owasp.csrfguard.unprotected.ReportingProxyController=/resolve/service/reporting/*
  •     org.owasp.csrfguard.unprotected.RSClient=/resolve/jsp/rsclient.jsp
  •     org.owasp.csrfguard.unprotected.SAML=/resolve/saml/*
  •     org.owasp.csrfguard.unprotected.SAMLIDP=/resolve/samlidp/*
  •     org.owasp.csrfguard.unprotected.React=/resolve/sir/index.html

What is Blacklisted (the Commented Whitelist)

The following list of URLs, which by virtue of not being in above white list, are by default protected (commented out). Customers may decide to make them not protected (potential white list) at their own discretion and security restrictions. These are potential URLs which may get used to integrate Actions Pro with (trusted) external systems/entities. They access to REST API end points from external systems, already authenticated or integrated with trusted external authentication/authorization systems,  such as ADFS, or event/case management systems.

  •     org.owasp.csrfguard.unprotected.RsWiki=/resolve/jsp/rswiki.jsp
  •     org.owasp.csrfguard.unprotected.SysscriptExecute=/resolve/service/sysscript/execute
  •     org.owasp.csrfguard.unprotected.ServiceExecute=/resolve/service/execute
  •     org.owasp.csrfguard.unprotected.WikiView=/resolve/service/wiki/view/*
  •     org.owasp.csrfguard.unprotected.WikiViewModel=/resolve/service/wiki/viewmodel/*
  •     org.owasp.csrfguard.unprotected.WikiDownload=/resolve/service/wiki/download/*
  •     org.owasp.csrfguard.unprotected.Public=/resolve/service/public/*
  •     org.owasp.csrfguard.unprotected.RestEndpoint=/resolve/rest/*
note

Keep in mind that the above list is not exhaustive and customers, at their own discretion, can make other protected URLs not listed in the above white list, or potential white list not protected.

Whitelisted (Not Protected) Resource Types (MIME Types)

HTTP GET URLs requesting resources with above extensions (MIME types) from Actions Pro are not protected since accessing them does not change state of the system which is prime reason of CSRF attack.

org.owasp.csrfguard.unprotected.JS=^(?i).*\.js$
org.owasp.csrfguard.unprotected.Styles=^(?i).*\.css$
org.owasp.csrfguard.unprotected.GIF=^(?i).*\.gif$
org.owasp.csrfguard.unprotected.PNG=^(?i).*\.png$
org.owasp.csrfguard.unprotected.JPG=^(?i).*\.jpg$
org.owasp.csrfguard.unprotected.JPEG=^(?i).*\.jpeg$
org.owasp.csrfguard.unprotected.WOFF=^(?i).*\.woff$
org.owasp.csrfguard.unprotected.WOFF2=^(?i).*\.woff2$
org.owasp.csrfguard.unprotected.EOT=^(?i).*\.eot$
org.owasp.csrfguard.unprotected.TTF=^(?i).*\.ttf$
org.owasp.csrfguard.unprotected.SVG=^(?i).*\.svg$
org.owasp.csrfguard.unprotected.ICO=^(?i).*\.ico$
org.owasp.csrfguard.unprotected.XML=^(?i).*\.xml$
org.owasp.csrfguard.unprotected.MAP=^(?i).*\.map$
org.owasp.csrfguard.unprotected.Properties=^(?i).*\.properties$

Requirements

  • Actions Pro has to be a secure product. We cannot achieve acceptable Veracode and Burp security vulnerability score without CSRF solution;
  • The CSRF solution that we implemented is an industry standard and OWASP recommended;
  • Old Actions Pro (prior to 6.2) content and product have a lot of open security issues that we closed. This may break existing content. In these cases, we have two options:
    • Customer and SE at their own risk white list all URLs that are not secure;
  • The customers (including PS and SE) need to follow best practices for security when they build new content. Our product is very flexible and there is no easy way for us, at build time, to catch and advice customers if they try to put URL link that is not secured with CSRF token. All of this can only be prevented by educating customers on the CSRF vulnerability and approach to avoid it.

Troubleshooting

Problem

403 response from Browser

Cause

Actions Pro UI rejected the request as it does not have a valid CSRF token or the URL has not been whitelisted.  

Solution

  1. Obtain the URL used in the browser address bar:
    Example:  https://example.com:8443/resolve/service/login

  2. SSH to Actions Pro node.

  3. Navigate to <Actions Pro home>/tomcat/webapps/resolve/WEB-INF/csrfguard.propertie_s.

  4. Backup and edit the csrfguard.properties.

    note

    The file contains numerous whitelisted URLs with the following format:
    org.owasp.csrfguard.unprotected.<xxxx>=/<path_sample>/<continuation>/<extra>

    Example: org.owasp.csrfguard.unprotected.Login=/resolve/service/login

  5. If the URL above is not whitelisted, add the string to the bottom of the file and save.

    note

    If this is in a cluster, this must be done in the other nodes that contains the active RSVIEW component.

  6. Restart all RSVIEW nodes.

Resources Required by Support

If the steps above do not resolve the issue, obtain the following information for support:

  1.     Open the developer tool in the browser and select the network tab.  (Keyboard function F12 when browser is selected).
  2.     Replicate the issue.
  3.     Look for the URL that results in the 403 error.
  4.     Save the content and provide it to support.
  5.     Also provide <Actions Pro home>/tomcat/webapps/resolve/WEB-INF/csrfguard.properties from all RSVIEW nodes.
  6.     Additionally a zip of the <Actions Pro home>/tomcat/logs may be requested at a later stage.   
note

If you use a Round Robin DNS load balancer for RSView, this may create a problem where Actions Pro cannot process the Session Tokens as that is store locally.  This prevents you from logging in and produces either a blank page, or a 403 error.  Load balancer users need to use sticky sessions.