Securing DSPs Against CSRF Attacks

However, Integration Server does not insert CSRF secure tokens in custom DSPs that use the JavaScripts Location object such as document.location and window.location.href. You must update these pages manually.

For example, if you have the following code in your custom DSP:

You must replace it with the following code, enabling the GET request:

if(is_csrf_guard_enabled && needToInsertToken) {
document.location="ldap-settings.dsp?"
+ _csrfTokenNm_ + "=" + _csrfTokenVal_;
} else {
document.location="ldap-settings.dsp";
}

You do not have to define the JavaScript variables _csrfTokenNm_, _csrfTokenVal_, is_csrf_guard_enabled, and needToInsertToken. But, you must import Integration Server_directory /WmRoot/csrf-guard.js to your DSP before using these variables, if you have not already imported /WmRoot/webMethods.js.

In GET requests, Integration Server inserts the CSRF secure token in the URL, thus displaying the CSRF secure token. When the CSRF guard is enabled (Security > CSRF Guard page in the webMethods Integration Server Administrator), to further secure the DSPs, Software AG recommends that you replace the GET requests with POST requests. POST requests eliminate the risk of sending the CSRF secure tokens in URLs. To replace a GET request by a POST request, pass the values as HTML form properties. To create new HTML form and set the properties in the form, use the createForm(<FORM_ID>, <ACTION>, "POST", <PARENT_TAG>) and setFormProperty(<FORM_ID>, <PROPERTY_ID>, <PROPERTY_VALUE>) methods defined in JavaScript webMethods.js.

For example, if the CSRF guard is enabled, to convert the above GET request code to POST, replace it with the following code:

if(is_csrf_guard_enabled && needToInsertToken)
{
createForm("htmlForm_listeners ", 'ldap-settings.dsp', "POST", <PARENT_TAG>);
setFormProperty(“htmlForm_listeners”, _csrfTokenNm_, _csrfTokenVal_);
htmlForm_listeners.submit();
} else {
document.location="ldap-settings.dsp";
}

The <PARENT_TAG> can be head or body based on whether this code belongs to head or body of the DSP.

Integration Server inserts CSRF secure tokens in the links in DSPs only if these links point to a DSP. If these links do not point to a DSP, you must update these links manually to include the CSRF secure tokens. For example, if you have the following code in your DSP:

If the CSRF guard is enabled, to convert it to POST request, create a new HTML form as shown below and change the link in the DSP:

if(is_csrf_guard_enabled && needToInsertToken)
{
createForm(“htmlform_transactionView”,
“="/invoke/wm.sap.Transaction/viewAs”, POST, <PARENT_TAG>);
setFormProperty(“htmlform_transactionView”, “type” “xml”);
setFormProperty(“htmlform_transactionView”, _csrfTokenNm_, _csrfTokenVal_);
<a href=”javascript:document.htmlform_transactionView.submit();></a>
} else {
<a href="/invoke/wm.sap.Transaction/viewAs?type=xml</a>
}

If the links in DSP point to another DSP, Integration Server automatically inserts CSRF secure token in the links. To further enhance the security, it is recommended that you convert the link in DSP as a POST request if it points to another DSP, provided the CSRF guard is enabled. For example, if you have the following code in your DSP:

After Integration Server inserts the CSRF secure token in the URL, the code is changed to the following:

If the CSRF guard is enabled, to convert it to POST request, create a new HTML form as shown below and change the link in the DSP:

if(is_csrf_guard_enabled && needToInsertToken) {
createForm(“htmlform_security_ports”, “security-ports-add.dsp”, “POST”, <PARENT_TAG>);
setFormProperty(“htmlform_security_ports”, “action”, “add”);
<a href="javascript:document.htmlform_security_ports.submit();">Add Port</a>
} else {
<a href="security-ports-add.dsp?action=add">Add Port</a>
}