Introduction:
Cross Site Request Forgery (CSRF) is one of the web vulnerability in web applications.
CSRF is an attack which forces the end user to
execute unwanted actions on web applications as this result unwontedly some of sensitive
data will be updated by mal data.
Cross-Site Request Forgery (CSRF) is an attack that tricks the victim into loading a page that
contains a malicious request. It is malicious in the sense that it inherits the
identity and privileges of the victim to perform an undesired function on the
victim's behalf, like change the victim's e-mail address, home address, or
password, or purchase something. CSRF attacks generally target functions that
cause a state change on the server but can also be used to access sensitive
data.
More information Please go through following link
Prevention:
To prevent CSRF
attack need to generate Synchronizer Token Pattern and we need to associate all
actions with this token.
In each URL we will add this token and before
execute any form action or some link action then the server will check the token ,
if the token is valid then it will be execute the action.
Liferay
Implementation:
Liferay also implemented mechanism to prevent CSRF attack. In liferay all URLs will generate
with one of the request parameter called p_auth.
p_auth is portal authentication token to prevent
CSRF attack. By default all liferay URLs p_auth request parameters is included.
Concept:
For each Portlet and each request URL contains p_auth parameter
and its values is random alphanumeric string consist of some pattern.
As soon as URL is generated then token will be
stored in Session and token will be in request parameter as p_auth.
when we perform any action then there is some AuthToken java class which is responsible
to check the token. If the token is valid then action will be executed otherwise
it will be prevent.
Example URL which Contains CSRF token or p_auth
http://eportal.aswatson.net/web/guest/home?
p_auth=8prVcgJC&p_p_auth=PitE9LxF&
p_p_id=signinaction_WAR_SiginInportlet&p_p_lifecycle=1&
p_p_state=pop_up&p_p_mode=view&controlPanelCategory=
portlet_signinaction_WAR_SiginInportlet&
_signinaction_WAR_SiginInportlet_cmd=update
|
Note:
This token validity for particular time after that
token will be expired.
Manage
Portal Authentication Token
Liferay by default all URLs and all action will be associated
with p_auth
parameter to prevent CSRF.
Some time we may not need this for every time so how
we need to handle will see in the following article.
Enable Portal Authentication Token using following
property in portal.properties file
auth.token.check.enabled=true
|
Note:
By default it enabled if you want change then we
will use portal-ext.properties file to override.
Liferay implemented Token Authentication java class
which is responsible to validate and generate token. We can also implement our
own java class to handle CSRF token
The following is property to handle Token Implementation Class
#
Set the authentication token class. This class must implement
#
com.liferay.portal.security.auth.AuthToken. This class is used to prevent
#
CSRF attacks. See http://issues.liferay.com/browse/LPS-8399 for more information.
auth.token.impl=com.liferay.portal.security.auth.SessionAuthToken
|
Note:
SessionAuthToken
is default implementation class and we can also implement our own class and
that should implement the AuthToken interface. We need to add our
implementation class in the above list.
Well we understand how to enable Portal
Authentication Token (p_auth) to prevent CSRF.
Some time we may not need this for every portlet and
every URL. The following are different ways and different scenarios we will
disable Portal Authentication Token.
Ignoring actions from token
authentication check:
We can ignore some actions to avoid authentication
check.
The following is property and we need to specify
list of struts actions which don’t need authentication check.
# Input a list of comma delimited struts
actions that will not be checked
# for an authentication token.
#
auth.token.ignore.actions=\
/asset/rss,/asset_publisher/edit_article_discussion,\
/asset_publisher/edit_entry_discussion,\
/asset_publisher/edit_file_entry_discussion,\
/asset_publisher/edit_page_discussion,/blogs/edit_entry,\
/blogs/edit_entry_discussion,\
/blogs/rss,/blogs/trackback,/blogs_aggregator/edit_entry,\
/blogs_aggregator/edit_entry_discussion,/blogs_aggregator/rss,\
/calendar/edit_event_discussion,/document_library/edit_file_entry,\
/document_library/edit_file_entry_discussion,\
/document_library_display/edit_file_entry,\
/document_library_display/edit_file_entry_discussion,\
/journal/edit_article_discussion,\
/journal/rss,/journal_content/edit_article_discussion,\
/image_gallery_display/edit_file_entry,\
/image_gallery_display/edit_image,/login/login,\
/message_boards/edit_discussion,\
/message_boards/edit_message,/message_boards/rss,/my_sites/view,\
/page_comments/edit_page_discussion,/shopping/edit_order_discussion,\
/software_catalog/edit_product_entry_discussion,/wiki/edit_page,\
/wiki/edit_page_attachment,/wiki/edit_page_discussion,\
/wiki/get_page_attachment,\
/wiki/rss,/wiki_admin/edit_page_attachment,\
/wiki_display/edit_page_attachment,\
/wiki_display/edit_page_discussion
|
Note:
By default many struts action are included in list
if you want add new action or change something then we will use portal-ext.properties
file to override.
Ignoring
portlets from authentication token check
We can also ignore/avoid portlets from Portal
Authentication Check.
The following portal property we will use to handle
and we need to add portlet ids with comma delimiter.
#
Set a list of comma delimited portlet ids that will not be checked for an
#
authentication token.
auth.token.ignore.portlets=82,87, userpreferences_WAR_Stocksportlet
|
Ignore
for Individual Portlet
We can also ignore/avoid portal authentication check
by using portlet.xml file.
We need to add following init parameter tag in
portlet.xml file
<init-param>
<name>check-auth-token</name>
<value>false</value>
</init-param>
|
Portlet
Authentication Token (p_p_auth)
In Liferay we have feature called we can add portlet
dynamically to any page. Generally we will add portlet in page some time we may
need to add portlet to page dynamically.
Example scenarios load portlet in Pop Up. Load some
portlet in Div in page and share portlet in some other places.
When we get such scenarios we will use add-default-resource
tag in liferay-portlet.xml file.
When we make above tag true then we load portlet in
any page dynamically and we can share portlet in other places.
In such scenarios to prevent some vulnerability we
will use Portlet Authentication Token (p_p_auth) in request parameter.
Portlet Authentication Take (p_p_auth) is as alpha numeric string
which generate randomly to Portlet URLs for which portlet enabled add-default-resource.
Enable add-default-resource we need to add following
tag in liferay-portlet.xml file
<portlet>
<portlet-name>PortletY</portlet-name>
<icon>/icon.png</icon>
<instanceable>false</instanceable>
<header-portlet-css>/css/main.css</header-portlet-css>
<footer-portlet-javascript>/js/main.js
</footer-portlet-javascript>
<css-class-wrapper>portlety-portlet</css-class-wrapper>
<add-default-resource>true</add-default-resource>
<system>true</system>
</portlet>
|
Enable
Portlet Authentication Token(p_p_auth)
To enable Portlet Authentication Token (p_p_auth)
we need use following portal property.
portlet.add.default.resource.check.enabled=true
|
Note:
By default it enabled in portal if you want change
then we will use portal-ext.properties file to override.
Ignore/Bypass/Avoid
Portlet Authentication Check for Portlets:
The following property will bypass portlet from Portlet
Authentication Check
#
Set a list of comma delimited list of portlet ids that will bypass the
#
security check set in the property
#
"portlet.add.default.resource.check.enabled".
portlet.add.default.resource.check.whitelist=3,56_INSTANCE_0000,58,82,\
86,87,88,103,113,145,164,166,170,177 |
Note:
By default many portlet are included in the list if
you want add new portlet or change something then we will use portal-ext.properties
file to override.
Ignore/Bypass/Avoid
Portlet Authentication Check for Actions:
#
Input a list of comma delimited struts actions that will bypass the
#
security check set in the property
#
"portlet.add.default.resource.check.enabled".
portlet.add.default.resource.check.whitelist.actions=\
/journal/rss,\
/language/view
|
Note:
If we want override existed portal properties we will
use portal-ext.properties
file or we will use Liferay Hook Plugin.
Important
Points
p_auth :
Portal authentication token for CSRF
protection
p_p_auth : Portlet
authentication token for add-default-resource protection
|
Author
0 comments :
Post a Comment