IDP Implementing CSRF Protection

Blank 25/8/2021 16:24 - 25/8/2021 16:24
Developers Security

Cross site request forgery is a hacking technique where a hacker tricks a user into visiting a malacious site. That site will usually contain a hidden form which submits to the target site, and it exploits the fact that the user is probably already logged in to the target site, so the form submit will probably be accepted.

Hackers can design that form to gain access to the victim's account, eg by changing the user's email address or password.

With Kademi's IDP framework you can configure rules which will protect against these attacks by injecting a token (eg a large random number) into each form, and then validate that when a form is submitted IDP will validate that the token is present and valid. This prevents hackers from abusing these forms from their own sites.

The example below shows configuring IDP to allow tokens for 60mins.

This has two configured keys. The configuration allows keys to be added to allow rolling over from old keys to new ones.

Example IDP config

    <rule>
        <expression class="and">
        <expression class="method" method="POST"/>
        <expression class="not">
          <expression class="valid-csrf"/>
        </expression>
      </expression>
      <action class="multiAction">
        <abort/>
        <log/>
      </action>
    </rule>     
  <properties>
    <entry>
      <string>csrfKeys</string>
      <list>
        <string>mykey1abc</string>
        <string>mykey2xxx</string>
      </list>
    </entry>
    <entry>
      <string>csrfValidMins</string>
      <int>60</int>
    </entry>
  </properties>