3.14 Preventing Cross-Site Request Forgery Attacks

(Access Manager 5.0 Service Pack 1 and later)

The CSRFDetectionFilter filter verifies all requests to detect and mitigate any Cross-Site Request Forgery (CSRF) attempts. By default, this filter is disabled.

This filter verifies for a session-wide anti-CSRF token that is expected in each request as a form parameter or a query parameter. If the token is not found, the filter matches the referrer header in the request with the server host and any configured exclusions.

When CSRF is detected in the request, Identity Server throws the HTTP 400 Bad Request error. When logging is enabled, you can check the reasons in the log file (catalina.out).

Perform the following steps to enable this filter:

Open the Identity Server web.xml file.

For information about how to edit a file, see Modifying Configurations in the NetIQ Access Manager Appliance 5.0 Administration Guide.

Locate and uncomment the following snippet:

<!--<filter>
    <filter-name>CSRFDetectionFilter</filter-name>
    <filter-class>com.novell.nidp.servlets.filters.csrf.CSRFDetectionFilter</filter-class>
    <description> This filter is used to detect CSRF attacks in NIDS, for an authenticated session</description>
    <init-param>
        <param-name>active</param-name>
        <param-value>False</param-value>
    </init-param>
    <init-param>
        <param-name>exclude</param-name>
        <param-value>metadata</param-value>
    </init-param>
    <init-param>
        <param-name>RefererWhitelist</param-name>
        <param-value></param-value>
    </init-param>
    <init-param>
        <param-name>RequestWhitelist</param-name>
        <param-value>GET</param-value>
    </init-param>
</filter>
<filter-mapping>
    <filter-name>CSRFDetectionFilter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping> 
-->

The following table lists parameters required for this filter:

Parameter	Description
active	You must set this to True to enable the filter. By default, this is set to False.
exclude	Specify the coma-separated paths you want to exclude in the verification by the CSRFDetectionFilter filter. For example, <init-param> <param-name>exclude</param-name> <param-value>metadata,saml2</param-value> </init-param>
RefererWhitelist	Specify the coma-separated domain or hostname that you want to exclude in the verification by the CSRFDetectionFilter filter. For example, <init-param> <param-name>RefererWhitelist </param-name> <param-value>www.test.com,www.idp.com</param-value> </init-param>
RequestWhitelist	Specify the coma-separated REST methods that you want to exclude in the verification by the CSRFDetectionFilter filter. By default, GET is included in the filter. For example, <init-param> <param-name>RequestWhitelist </param-name> <param-value>GET,POST</param-value> </init-param>

Save the file.

To Enable the CSRF Verification for the Password Class and TOTP Class

Access Manager provides an option LOGIN CSRF CHECK to verify CSRF attempts for the Password class and TOTP class. This is applicable for Access Manager default pages. If you have modified any page, you must add the anti-CSRF token to the page.

For information about how to enable this property, see Managing a Cluster of Identity Servers > Configuring Identity Server Global Options in the NetIQ Access Manager Appliance 5.0 Administration Guide.