Monday, March 31, 2014

Cross Site Request Forgery (CSRF) Prevention in Liferay

Introduction:

Cross Site Request Forgery (CSRF) is one of the web vulnerability in web applications.
CSRF is an attack which forces the end user to execute unwanted actions on web applications as this result unwontedly some of sensitive data will be updated by mal data.

Cross-Site Request Forgery (CSRF) is an attack that tricks the victim into loading a page that contains a malicious request. It is malicious in the sense that it inherits the identity and privileges of the victim to perform an undesired function on the victim's behalf, like change the victim's e-mail address, home address, or password, or purchase something. CSRF attacks generally target functions that cause a state change on the server but can also be used to access sensitive data.

More information Please go through following link


Prevention:

To prevent CSRF attack need to generate Synchronizer Token Pattern and we need to associate all actions with this token.

In each URL we will add this token and before execute any form action or some link action then the server will check the token , if the token is valid then it will be execute the action.

Liferay Implementation:

Liferay also implemented mechanism to prevent CSRF attack. In liferay all URLs will generate with one of the request parameter called p_auth.

p_auth is portal authentication token to prevent CSRF attack. By default all liferay URLs p_auth request parameters is included.

Concept:

For each Portlet and each request URL contains p_auth parameter and its values is random alphanumeric string consist of some pattern.

As soon as URL is generated then token will be stored in Session and token will be in request parameter as p_auth. when we perform any action then there is some AuthToken java class which is responsible to check the token. If the token is valid then action will be executed otherwise it will be prevent.

Example URL which Contains CSRF token or p_auth


http://eportal.aswatson.net/web/guest/home?
p_auth=8prVcgJC&p_p_auth=PitE9LxF&
p_p_id=signinaction_WAR_SiginInportlet&p_p_lifecycle=1&
p_p_state=pop_up&p_p_mode=view&controlPanelCategory=
portlet_signinaction_WAR_SiginInportlet&
_signinaction_WAR_SiginInportlet_cmd=update


Note:

This token validity for particular time after that token will be expired.

Manage Portal Authentication Token

Liferay by default all URLs and all action will be associated with p_auth parameter to prevent CSRF.

Some time we may not need this for every time so how we need to handle will see in the following article.

Enable Portal Authentication Token using following property in portal.properties file


auth.token.check.enabled=true


Note:

By default it enabled if you want change then we will use portal-ext.properties file to override.

Liferay implemented Token Authentication java class which is responsible to validate and generate token. We can also implement our own java class to handle CSRF token

The following is property to handle Token Implementation Class


# Set the authentication token class. This class must implement
# com.liferay.portal.security.auth.AuthToken. This class is used to prevent
# CSRF attacks. See http://issues.liferay.com/browse/LPS-8399 for more information.

auth.token.impl=com.liferay.portal.security.auth.SessionAuthToken


Note:

SessionAuthToken is default implementation class and we can also implement our own class and that should implement the AuthToken interface. We need to add our implementation class in the above list.

Well we understand how to enable Portal Authentication Token (p_auth) to prevent CSRF.
Some time we may not need this for every portlet and every URL. The following are different ways and different scenarios we will disable Portal Authentication Token.

Ignoring actions from token authentication check:

We can ignore some actions to avoid authentication check.

The following is property and we need to specify list of struts actions which don’t need authentication check.

   
# Input a list of comma delimited struts actions that will not be checked
    # for an authentication token.
    #
auth.token.ignore.actions=\
/asset/rss,/asset_publisher/edit_article_discussion,\
/asset_publisher/edit_entry_discussion,\
/asset_publisher/edit_file_entry_discussion,\
/asset_publisher/edit_page_discussion,/blogs/edit_entry,\
/blogs/edit_entry_discussion,\
/blogs/rss,/blogs/trackback,/blogs_aggregator/edit_entry,\
/blogs_aggregator/edit_entry_discussion,/blogs_aggregator/rss,\
/calendar/edit_event_discussion,/document_library/edit_file_entry,\
/document_library/edit_file_entry_discussion,\
/document_library_display/edit_file_entry,\
/document_library_display/edit_file_entry_discussion,\
/journal/edit_article_discussion,\
/journal/rss,/journal_content/edit_article_discussion,\
/image_gallery_display/edit_file_entry,\
/image_gallery_display/edit_image,/login/login,\
/message_boards/edit_discussion,\
/message_boards/edit_message,/message_boards/rss,/my_sites/view,\
/page_comments/edit_page_discussion,/shopping/edit_order_discussion,\
/software_catalog/edit_product_entry_discussion,/wiki/edit_page,\
/wiki/edit_page_attachment,/wiki/edit_page_discussion,\
/wiki/get_page_attachment,\
/wiki/rss,/wiki_admin/edit_page_attachment,\
/wiki_display/edit_page_attachment,\
/wiki_display/edit_page_discussion


Note:

By default many struts action are included in list if you want add new action or change something then we will use portal-ext.properties file to override.

Ignoring portlets from authentication token check

We can also ignore/avoid portlets from Portal Authentication Check.
The following portal property we will use to handle and we need to add portlet ids with comma delimiter.


# Set a list of comma delimited portlet ids that will not be checked for an
# authentication token.

auth.token.ignore.portlets=82,87, userpreferences_WAR_Stocksportlet


Ignore for Individual Portlet

We can also ignore/avoid portal authentication check by using portlet.xml file.

We need to add following init parameter tag in portlet.xml file


<init-param>
 <name>check-auth-token</name>
 <value>false</value>
</init-param>


Portlet Authentication Token (p_p_auth)

In Liferay we have feature called we can add portlet dynamically to any page. Generally we will add portlet in page some time we may need to add portlet to page dynamically.

Example scenarios load portlet in Pop Up. Load some portlet in Div in page and share portlet in some other places.

When we get such scenarios we will use add-default-resource tag in liferay-portlet.xml file.
When we make above tag true then we load portlet in any page dynamically and we can share portlet in other places.

In such scenarios to prevent some vulnerability we will use Portlet Authentication Token (p_p_auth) in request parameter.

Portlet Authentication Take (p_p_auth) is as alpha numeric string which generate randomly to Portlet URLs for which portlet enabled add-default-resource.

Enable add-default-resource we need to add following tag in liferay-portlet.xml file


<portlet>
                        <portlet-name>PortletY</portlet-name>
                        <icon>/icon.png</icon>
                        <instanceable>false</instanceable>
                        <header-portlet-css>/css/main.css</header-portlet-css>
                        <footer-portlet-javascript>/js/main.js
                        </footer-portlet-javascript>
                        <css-class-wrapper>portlety-portlet</css-class-wrapper>
                        <add-default-resource>true</add-default-resource>
                       <system>true</system>
</portlet>


Enable Portlet Authentication Token(p_p_auth)

To enable Portlet Authentication Token (p_p_auth) we need use following portal property.


portlet.add.default.resource.check.enabled=true


Note:

By default it enabled in portal if you want change then we will use portal-ext.properties file to override.

Ignore/Bypass/Avoid Portlet Authentication Check for Portlets:

The following property will bypass portlet from Portlet Authentication Check


# Set a list of comma delimited list of portlet ids that will bypass the
# security check set in the property
 # "portlet.add.default.resource.check.enabled".
 portlet.add.default.resource.check.whitelist=3,56_INSTANCE_0000,58,82,\
86,87,88,103,113,145,164,166,170,177


Note:

By default many portlet are included in the list if you want add new portlet or change something then we will use portal-ext.properties file to override.

Ignore/Bypass/Avoid Portlet Authentication Check for Actions:


# Input a list of comma delimited struts actions that will bypass the
# security check set in the property
# "portlet.add.default.resource.check.enabled".

    portlet.add.default.resource.check.whitelist.actions=\
        /journal/rss,\
        /language/view


Note:

If we want override existed portal properties we will use portal-ext.properties file or we will use Liferay Hook Plugin.

Important Points


p_auth      :  Portal authentication token for CSRF protection

p_p_auth : Portlet authentication token for add-default-resource protection



Author

Popular Posts

Recent Posts

Recent Posts Widget