Cross-Site Request Forgery (CSRF) Prevention in Liferay

What is CSRF?

Cross-Site Request Forgery (CSRF)is a hidden attack that contains a malicious request. This is in top web vulnerabilities list because, the malicious request carries the identity, privileges, information and permissions of the victim to perform an proxy request on the victim's behalf. This can attack can be performed for any kind of operations like updating sensitive\confidential information, purchase something, transfer money etc.

More about CSRF

Prevention Measures

To prevent CSRF attack a general recommendation to use Synchronizer Token Pattern, which suggest to include a random token with all form actions and links associated to confidential server action/operations.

One random token should be generated for each session and must be stored in the session itself. On each incoming request, server must verify the existence and validity against the token stored in current session.

In case of token is not exist in the request or invalid, request must be aborted, token must be reset and incidence must be logged as a CSRF attack.

CSRF Prevention Mechanism in Liferay

Portal Authentication token mechanism is created to prevent CSRF attacks. This mechanism will include a parameter called p_auth containing random token in every action request.

Enable/Disable authentication token checking in portal

As this is a portal level setting, authentication token checking can be enabled or disabled by adding below property in portal properties.
auth.token.check.enabled=true

Setting Authentication Token Class

Custom authentication token class can be implemented to handle and avoid CSRF attacks. Custom authentication class must implement com.liferay.portal.security.auth.AuthToken.

com.liferay.portal.security.auth.SessionAuthToken is the default impelementation available in Liferay.

The class can be registered to portal context by adding below property in portal properties.
auth.token.impl=com.liferay.portal.security.auth.SessionAuthToken

Ignoring actions/portlets from token authentication check

A list of comma delimited struts actions or portlet ids can set to ignore authentication token check on them.

List of struts actions can be set by adding below property in portal properties.
auth.token.ignore.actions=\
    /blogs/edit_entry,\
    /blogs/edit_entry_discussion,\
    /blogs/rss

List of portlet ids can be set by adding below property in portal properties.
auth.token.ignore.portlets=82,87

Individual portlets can be ignored by adding below init parameter in portlet.xml

 check-auth-token
 false


Enjoy and Stay Protected.

Please do not print this unless its really needed. Recycle Paper and perform your role to save environment.
Is this content useful? leave appreciation, feedback, suggestions, issues as comments.

1 comment:

  1. Excellent focus on authentication part.

    Can you please explain more about how to test the application also ?

    ReplyDelete

Is this content helpful? Leave appreciation, feedback, suggestions, issues anything.