Preventing CSRF attacks
How CSRF attacks work
Cross-site request forgery (CSRF) is a web site vulnerability where a valid user’s browser is used to send a malicious request, possibly via an iFrame. Because the browser sends cookies on a domain basis, if the user is currently logged in to an application, the user’s data may be compromised.
For example, consider a scenario where you are logged in to administration console in a browser. You receive an email message containing a link. You click the link, which opens a new tab in your browser. The page that you opened contains a hidden iFrame that makes a malicious request to the forms server using the cookie from your authenticated AEM forms session. Because User Management receives a valid cookie, it passes the request.
How allowed referers work
AEM forms provides referer filtering, which can help prevent CSRF attacks. Here is how referer filtering works:
- The forms server checks the HTTP method used for invocation:
- If it is POST, the forms server performs the referer header check.
- If it is GET, the forms server bypasses the referer check, unless CSRF_CHECK_GETS is set to true, in which case it performs the referer header check. CSRF_CHECK_GETS is specified in the web.xml file for your application. (See “Protecting from Cross-Site Request Forgery attacks” in Hardening and Security guide .)
- The forms server checks whether the requested URI is allowlisted:
- If the URI is allowlisted, the server passes the request.
- If the requested URI is not allowlisted, the server retrieves the referer of the request.
- If there is a referer in the request, the server checks whether it is an allowed referer. If it is allowed, the server checks for a referer exception:
- If it is an exception, the request is blocked.
- If it is not an exception, the request is passed.
- If there is no referer in the request, the server checks whether a null referer is allowed.
- If a null referer is allowed, the request is passed.
- If a null referer is not allowed, the server checks whether the requested URI is an exception for null referer and handles the request accordingly.
Configure allowed referers
When you run Configuration Manager, the default host and IP address or the forms server are added to the Allowed Referer list. You can edit this list in administration console.
- In administration console, click Settings > User Management > Configuration > Configure Allowed Referer URL’s. The Allowed Referer list appears at the bottom of the page.
- To add an allowed referer:
- Type a host name or IP address in the Allowed Referers box. To add more than one allowed referer at a time, type each host name or IP address on a new line.
- In the HTTP Port and HTTPS Ports boxes, specify which ports to allow for HTTP, HTTPS, or both. If you leave those boxes empty, the default ports (port 80 for HTTP and port 443 for HTTPS) are used. If you enter 0 (zero) in the boxes, all ports on that server are enabled. You can also enter a specific port number to enable only that port.
- Click Add.
- To remove entry from the Allowed Referer list, select the item from the list and click Delete.If the Allowed Referer List is empty, the CSRF feature stops working and the system becomes insecure.
- After changing the Allowed Referer list, restart the AEM forms server.