Cross-Site Request Forgery (CSRF)

A Cross-Site Request Forgery (CSRF), also known as a one-click attack or session riding, is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts.

To prevent these types of attacks, WebFOCUS must be configured to use the CSRF token functionality. After this configuration is completed, a CSRF token is generated every time the WebFOCUS RESTful Web Services authentication request (IBIRS_action=signOn) is run, in which the token would be returned within the response. This token is then required to be sent as a parameter to all WebFOCUS RESTful Web Service requests that perform Create, Update, and Delete operations. These types of requests must be performed through an HTTP POST method.

The CSRF token prevents attacks by checking for an encrypted value that was generated randomly and then stored in the web session of the actual authenticated user. This feature is not supported for Kerberos and SSO environments.

Procedure: How to Enable and Configure the CSRF Token Functionality

To enable and configure the CSRF token functionality:

Log on to the WebFOCUS Administration Console.
In the left pane, expand Configuration, Application Settings, and then select Filters, as shown in the following image.

Set the IBI_CSRF_Enforce and IBI_REST_Method_Enforce parameters to True.

The following table lists and describes the parameters related to CSRF token functionality that are available in the Application Settings - Filters pane of the WebFOCUS Administration Console.

Parameter

Description

IBI_CSRF_Enforce

Requires all POST requests to provide a CSRF token to be validated, except for legacy requests, if the exception is allowed by the IBI_CSRF_Allow_Legacy parameter. The default value is set to False.

IBI_CSRF_Allow_Legacy

The default value is set to True, which allows legacy WebFOCUS Servlet requests to run without requiring or utilizing a CSRF token.

IBI_REST_Method_Enforce

If set to True, this parameter specifies that RESTful Web Services operations that Create, Update, or Delete can only be run with the HTTP POST method. The default value is set to False.

Note: If the IBI_CSRF_ENFORCE parameter is set to True, then RESTful Web Services also require a CSRF token. The token name is specified using the IBI_CSRF_Token_Name parameter.

IBI_CSRF_Token_Name

Specifies the name of the CSRF token.

The default value is IBIWF_SES_AUTH_TOKEN.

Parameter	Description
IBI_CSRF_Enforce	Requires all POST requests to provide a CSRF token to be validated, except for legacy requests, if the exception is allowed by the IBI_CSRF_Allow_Legacy parameter. The default value is set to False.
IBI_CSRF_Allow_Legacy	The default value is set to True, which allows legacy WebFOCUS Servlet requests to run without requiring or utilizing a CSRF token.
IBI_REST_Method_Enforce	If set to True, this parameter specifies that RESTful Web Services operations that Create, Update, or Delete can only be run with the HTTP POST method. The default value is set to False. Note: If the IBI_CSRF_ENFORCE parameter is set to True, then RESTful Web Services also require a CSRF token. The token name is specified using the IBI_CSRF_Token_Name parameter.
IBI_CSRF_Token_Name	Specifies the name of the CSRF token. The default value is IBIWF_SES_AUTH_TOKEN.

Actions Requiring a CSRF Token

If WebFOCUS is configured to use the CSRF token functionality, then the following is a list of WebFOCUS RESTful Web Services actions (IBIRS_action), which require a CSRF token to be passed in the request:

addRule
addUserToGroup
copy
delete
listRulesForResource
listRulesForRole
listRulesForSubject
move
publish
put
removeRule
removeUserFromGroup
rename
unpublish

Obtaining a CSRF Token

The CSRF token is returned in the response of the WebFOCUS RESTful Web Services authentication action (IBIRS_action=signOn), as shown in the following image.

In this example, the name of the CSRF token is IBIWF_SES_AUTH_TOKEN and the value for the CSRF token is 015a794691fe6a67b8ae059e0d506596.

Passing a CSRF Token

If WebFOCUS is configured to use the CSRF token functionality, then the CSRF token is passed as a parameter within the body of the POST request for all actions that require a CSRF token.

Example:

The following example shows the WebFOCUS RESTful Web Service request to add a user with a CSRF token.

Post Request URL:

http://localhost:8080/ibi_apps/rs

Body:

IBIRS_path=/SSYS/USERS/testuser&IBIRS_action=put
&IBIRS_object=<object _jt="IBFSUserObject" description="Test Userid"  email="restid@informationbuilders.com" password="rest" type="User">
<status _jt="IBSSUserStatus" name="ACTIVE"/>
</object>
&IBIRS_service=ibfs&IBIWF_SES_AUTH_TOKEN=015a794691fe6a67b8ae059e0d506596

If the CSRF token is not sent or an invalid CSRF token is sent in requests that require a CSRF token, then the following error message will be returned in the response:

<!DOCTYPE HTML>
<HTML>
<HEAD>
<title>403 - Access Denied</title>
</HEAD>
<body style="background-color:#dae1e7; margin:0;"> 
  <div align="center" style="position:relative;font-family:Arial;top:172px;font-size:25pt;">403 - Access Denied</div>
  <div align="center" style="position:relative;top:178px;font-size:9pt;font-family:Tahoma;color: #485059;">You are not authorized to view this page</div>
</body>
</HTML>