Manualshelf

HP FutureSmart - Preventing cross site request forgery (CSRF) attack using CSRF-tokens (white paper)

ManualsBrandsHP ManualsPrint & ScanCE708A
1234567
6
Impact on Software Tools and Solutions
Any web client, whether it is an embedded solution hosted on the device or an external software, will be impacted by the
CSRF security measures when enforced by the device. All HTTP POST requests will be scrutinized by the Embedded Web
Server for CSRF vulnerability (when the CSRF Protection is enforced). If the POST request fails the vulnerability check,
the requests will be rejected with HTTP error code 403. This will break the solutions installed on the device. If such a
request is originating from an external software client, the software client’s functionality will be broken. The web clients
MUST take measures so that they continue to work when CSRF protection if enforced on the device.
Here is what is expected from the solutions and software tools
I. Client MUST have a valid CSRFToken in the HTTP form data.
II. CSRFTokens are unique per HTTP session. SessionId and Token are a pair. Token needs to be fetched by the
client using GET before the POST.
III. Origin and Referer are not mandatory headers. If the web client is including these headers, it MUST have trusted
host-FQDN.
How to address it in Solutions
When the CSRF Prevention feature is enabled, the EWS within the device will require a CSRFToken parameter to be
present in any HTTP POST request. This CSRFToken must match the value originally provided to the client via a previous
HTTP GET request. There are two ways in which a Level-1 EWS controller may generate a valid CSRFToken parameter.
Using a Velocity Template for EWS Content
If the Level-1 solution is using a Velocity template to render the HTML content for a client’s HTTP GET request, then the
template may simply be modified to reference a new FutureSmart Velocity directive in order to have the CSRFToken
generated. This directive is:
$Security.GetCSRFToken()
The form input is expected to have the name “CSRFToken”, so in order to generate the complete input tag simply include
the following content within the HTML form definition:
<input type="hidden" id="CSRFToken" name="CSRFToken" value="$Security.GetCSRFToken()" />
Programmatically Generating the CSRF Token
If the Level-1 solution is NOT using Velocity templates to generate content, the CSRF Token may be pulled out of the
IExtHttpSessionState instance of the ExtContext. Specifically, when executing on a FW version that supports the CSRF
Prevention feature, the CSRF token will present in the session data. The following code demonstrates one mechanism in
which it can be pulled out of the header for subsequent use in generating HTML content to return to the client: