Configuring CSRF protection
Cross-Site Request Forgery (CSRF) is an attack that forces a user to execute unwanted actions on a web application in which the user is currently authenticated. CSRF specifically targets state-changing requests, not theft of data, because the attacker cannot see the response to the forged request. With a little help of social engineering (sending a link in email or chat), an attacker can trick the users of a web application into executing actions of the attacker's choosing. If the victim is a normal user, a successful CSRF attack can force users to perform state-changing requests including transferring funds or changing their email address. If the victim is an administrative account, CSRF can compromise the entire web application.
Mitigating CSRF attacks
Pega Platform™ uses session tokens to mitigate the risk of CSRF attacks. Each user session is assigned one or more unique tokens. These tokens are made available to the browser for inclusion in the URL of all requests. Each request is examined for a valid token and is rejected, if either no token or an invalid one is provided. Exceptions can be configured based on the values of the HTTP Referrer header contained in the request.
For Pega Platform 8.1 and later, for the CSRF settings, use the Cross-Site Request Forgery landing page instead of modifying the dynamic system settings directly. For more information, see Enabling Cross-Site Request Forgery settings.
For Pega Platform 7 and earlier, the following settings control the behavior of CSRF prevention:
- security/csrf/securedActivities – Specifies a list of activities to secure (comma-separated list). A request for an activity in this list must include a valid CSRF token.
- security/csrf/securedStreams – Specifies a list of streams to secure (comma-separated list). A request for a stream in this list must include a valid CSRF token.
- security/csrf/secureall – Use this setting when you are not securing specific activities and streams, and the securedActivities and securedStreams settings are blank or not set.
- security/csrf/validreferers – Specifies the valid referrers values permitted in requests (comma-separated list with no spaces). If CSRF token and activity/stream validations fail, the referrer header is validated against this list. The request fails if the referrer header is not contained in the list.
- security/csrf/mitigation – The switch used to toggle the “CSRF mitigation” feature on or off. Enable CSRF mitigation.
The following table shows example values for the configuration settings for CSRF prevention.
|Setting||Default setting||Sample setting|
|security/csrf/securedActivities||Blank||Data-Admin-Operator-ID.AddNewOperator, PegaAccel-Task-GenerateApp.CreateAllOperatoIds, Data-Admin-.pzCreateOperator, ReloadSection,GetLocationInFlow,PegaAccel-Task-DocumentApp.pzDocumentNow,@baseclass.WBGetRuleXmlWithKeys,getCorrInsert,PegaAccel-Task-DocumentApp.pzDocumentNow, @baseclass.WBGetRuleXmlWithKeys|
|security/csrf/securedStreams||Blank||@baseclass.ActionPreviousOperator, @baseclass.Operator-MenuPassword, Operator-Profile-ChangePassword|
The secureall setting can be too restrictive and might block valid requests in some cases. The following SQL query can be used to return a list of the activities that are likely to be included in all requests. Although the list is long, it can be specified in the value of the secured Activities Dynamic System Setting.
Select distinct(pyrulename) from rulesschema.pr4_rule where pxobjclass='Rule-Obj-Activity' and PYRULEAVAILABLE in ('Yes','Final') and PYINPUTMAYSTART = 'true'
Unique token generation and verification of the referenced header in a URL
Consider the following URL:
http://wpegaw7:8080/prweb/PRServlet/TAHJBMlezN2PlS_vY7_FYDZ_YYZfLifF*/!@ae520a0ced4965ca3b79b12289f8676b!STANDARD?pyActivity=ReloadSection&pzTransactionId=7652a16bdb6a4d64f335f83941289efd&pzFromFrame=&pzPrimaryPageName=py DisplayHarness&pyEncodedParameters=true&pzKeepPageMessages=false&BaseReference=&StreamList=pzRecentExplorer%7CRule-HTML-Section%7C%3A&bClientValidation=true&FieldError=&FormError=&pyCustomError=&PreActivity=&HeaderButtonSectionName= &inStandardsMode=true&AJAXTrackID=3&pzHarnessID=HID1388746272425
ae520a0ced4965ca3b79b12289f8676b– The token, which is checked by the Pega 7 Platform for validation.
STANDARD– The PRThread in whose context the request would be executed.
http://wpegaw7:8080– The current host on which the Pega 7 Platform is deployed.
The correct configuration in this case would be:
http://wpega2w7:8030,http://wpega3w7:8091,http://another.host.com– For the URLs on the allow list, referrer headers could be configured in a Dynamic System Setting.
TestSecuredActivityName, AnotherSecuredActivity– For the secured activities list.
SecuredStreamName, testStream– For the secured streams list.