HP FutureSmart - Preventing cross site request forgery (CSRF) attack using CSRF-tokens (white paper)

ManualsBrandsHP ManualsPrint & ScanCE708A

Public

Technical white paper

Preventing Cross Site Request Forgery (CSRF)

Attack using CSRF-Tokens on HP Printing

Devices

Table of contents

Introduction 2

Detailed Description 2

CSRF Configuration on HP FutureSmart Printers 3

CSRFToken in HTTP POST Requests 5

Impact on Software Tools and Solutions 6

How to address it in Solutions 6

Using a Velocity Template for EWS Content 6

Programmatically Generating the CSRF Token 6

References 7

Summary of content (7 pages)

PAGE 1
Technical white paper Preventing Cross Site Request Forgery (CSRF) Attack using CSRF-Tokens on HP Printing Devices Table of contents Introduction 2 Detailed Description 2 CSRF Configuration on HP FutureSmart Printers 3 CSRFToken in HTTP POST Requests 5 Impact on Software Tools and Solutions 6 How to address it in Solutions Using a Velocity Template for EWS Content Programmatically Generating the CSRF Token 6 6 6 References 7 Public
PAGE 2
Introduction Cross-Site Request Forgery (CSRF) is an exploit which hijacks the authenticated user session to send unauthorized requests to a server. For the server receiving the requests, it appears that the action is initiated by an authenticated user. The actions could weaken the security of the server which a hacker can exploit to take control over the server. Browsers are inherently trusted and are designed to cache the authenticated session cookie (until it expires).
PAGE 3
The Server verifies if the token from the client matches the token provided earlier to the client for the current session. If the token is not-present or not-correct, the request would be rejected with “HTTP 403” error. If the “CSRFToken” is correct, the application request would be processed further. CSRF Configuration on HP FutureSmart Printers HP FutureSmart devices enforce CSRF protection by default.
PAGE 4
This security feature would have impact on any SW Tools or Solutions that uses HTML form data directly in HTTP POST; aka “Screen Scraping” to manage settings on the devices. Origin/Referer header or CSRFToken must be present without which request will not be serviced. Note: CSRF Protection can be disabled from the EWS or using WS*. The EWS page configuration setting under the “Security” tab is shown below. The default setting is enabled.
PAGE 5
CSRFToken in HTTP POST Requests CSRFTokens are cryptographically random values generated by the printer’s web server. Further, these tokens are unique to every EWS session. The client must first fetch the token from the printer using an HTTP GET request. During the GET request the device generates a SessionId (if not already included in GET request) and a mapping CSRFToken. The CSRFToken is included as a hidden form value with tag CSRFToken.
PAGE 6
Impact on Software Tools and Solutions Any web client, whether it is an embedded solution hosted on the device or an external software, will be impacted by the CSRF security measures when enforced by the device. All HTTP POST requests will be scrutinized by the Embedded Web Server for CSRF vulnerability (when the CSRF Protection is enforced). If the POST request fails the vulnerability check, the requests will be rejected with HTTP error code 403. This will break the solutions installed on the device.
PAGE 7
public class Level1Controller : ExtWebContentControllerBase { ///
/// web request entry point ///
public override void Load() { string token = string.Empty; if (ExtContext.SessionState.GetData.ContainsKey("CSRFToken") && ExtContext.SessionState.GetData["CSRFToken"] != null) { token = SessionState.GetData["CSRFToken"].