Securing DSPs Against CSRF Attacks
Integration Server adds CSRF secure tokens in DSPs dynamically thereby ensuring that the custom DSPs are secured against CSRF attacks.
However, Integration Server does not insert CSRF secure tokens in custom DSPs that use the JavaScripts Location object such as document.location and window.location.href. You must update these pages manually.
For example, if you have the following code in your custom DSP:
document.location="ldap-settings.dsp";
You must replace it with the following code, enabling the GET request:
if(is_csrf_guard_enabled && needToInsertToken) {
document.location="ldap-settings.dsp?"
+ _csrfTokenNm_ + "=" + _csrfTokenVal_;
} else {
document.location="ldap-settings.dsp";
}
You do not have to define the JavaScript variables _csrfTokenNm_, _csrfTokenVal_, is_csrf_guard_enabled, and needToInsertToken. But, you must import Integration Server_directory /WmRoot/csrf-guard.js to your DSP before using these variables, if you have not already imported /WmRoot/webMethods.js.
In GET requests, Integration Server inserts the CSRF secure token in the URL, thus displaying the CSRF secure token. When the CSRF guard is enabled (Security > CSRF guard page in the webMethods Integration Server Administrator), to further secure the DSPs, Software AG recommends that you replace the GET requests with POST requests. POST requests eliminate the risk of sending the CSRF secure tokens in URLs. To replace a GET request by a POST request, pass the values as HTML form properties. To create new HTML form and set the properties in the form, use the createForm(<FORM_ID>, <ACTION>, "POST", <PARENT_TAG>) and setFormProperty(<FORM_ID>, <PROPERTY_ID>, <PROPERTY_VALUE>) methods defined in JavaScript webMethods.js.
For example, if the CSRF guard is enabled, to convert the above GET request code to POST, replace it with the following code:
Note:
If the CSRF guard is disabled, continue to use the GET request.
if(is_csrf_guard_enabled && needToInsertToken)
{
createForm("htmlForm_listeners ", 'ldap-settings.dsp', "POST", <PARENT_TAG>);
setFormProperty(“htmlForm_listeners”, _csrfTokenNm_, _csrfTokenVal_);
htmlForm_listeners.submit();
} else {
document.location="ldap-settings.dsp";
}
The <PARENT_TAG> can be head or body based on whether this code belongs to head or body of the DSP.
Integration Server inserts CSRF secure tokens in the links in DSPs only if these links point to a DSP. If these links do not point to a DSP, you must update these links manually to include the CSRF secure tokens. For example, if you have the following code in your DSP:
<a href="/invoke/wm.sap.Transaction/viewAs?type=xml</a>
If the CSRF guard is enabled, to convert it to POST request, create a new HTML form as shown below and change the link in the DSP:
Note:
If the CSRF guard is disabled, continue to use the GET request.
if(is_csrf_guard_enabled && needToInsertToken)
{
createForm(“htmlform_transactionView”,
“="/invoke/wm.sap.Transaction/viewAs”, POST, <PARENT_TAG>);
setFormProperty(“htmlform_transactionView”, “type” “xml”);
setFormProperty(“htmlform_transactionView”, _csrfTokenNm_, _csrfTokenVal_);
<a href=”javascript:document.htmlform_transactionView.submit();></a>
} else {
<a href="/invoke/wm.sap.Transaction/viewAs?type=xml</a>
}
If the links in DSP point to another DSP, Integration Server automatically inserts CSRF secure token in the links. To further enhance the security, it is recommended that you convert the link in DSP as a POST request if it points to another DSP, provided the CSRF guard is enabled. For example, if you have the following code in your DSP:
<a href="security-ports-add.dsp">
After Integration Server inserts the CSRF secure token in the URL, the code is changed to the following:
<a href="security-ports-add.dsp?secureCSRFToken=<token_id>">
If the CSRF guard is enabled, to convert it to POST request, create a new HTML form as shown below and change the link in the DSP:
Note:
If the CSRF guard is disabled, continue to use the GET request.
if(is_csrf_guard_enabled && needToInsertToken) {
createForm(“htmlform_security_ports”, “security-ports-add.dsp”, “POST”, <PARENT_TAG>);
setFormProperty(“htmlform_security_ports”, “action”, “add”);
<a href="javascript:document.htmlform_security_ports.submit();">Add Port</a>
} else {
<a href="security-ports-add.dsp?action=add">Add Port</a>
}
For more information about configuring CSRF guard in Integration Server, see webMethods Integration Server Administrator’s Guide.