Forums

Home » Liferay Portal » English » 3. Development

Combination View Flat View Tree View
Threads [ Previous | Next ]
toggle
Manish Yadav
Prevent CSRF attack
July 25, 2013 7:02 AM
Answer

Manish Yadav

Rank: Expert

Posts: 384

Join Date: May 26, 2012

Recent Posts

Hi,
I want to use the authentication token to prevent Cross Site Request Forgery. It should be included in actions requests. I tried to put:
1
2auth.token.ignore.actions=
3session.enable.url.with.session.id=false
4auth.token.check.enabled=true
5portlet.add.default.resource.check.enabled=true
6auth.token.impl=com.liferay.portal.security.auth.SessionAuthToken


in portal-ext.properties, but unfortunately it didn't work. What is missing? (I'm using Liferay 6.1 GA2)

Regards,
Manish Banwari lal Yadav
Tomas Polesovsky
RE: Prevent CSRF attack
July 25, 2013 8:12 AM
Answer

Tomas Polesovsky

LIFERAY STAFF

Rank: Liferay Master

Posts: 578

Join Date: February 13, 2009

Recent Posts

Hi Manish,

in 6.1 GA2 the token should be present in action URLs OOTB.

There are 2 whitelists that can prevent adding the p_auth token into URL:
1, auth.token.ignore.actions
2, auth.token.ignore.portlets

What exactly doesn't work?

Best,
-- tom +
Manish Yadav
RE: Prevent CSRF attack
July 25, 2013 1:19 PM
Answer

Manish Yadav

Rank: Expert

Posts: 384

Join Date: May 26, 2012

Recent Posts

Thanks Tomas for your quick response emoticon

Below both properties i'm not using in portal-ext.properties and also checked with empty values for below properties
1
2auth.token.ignore.actions
3auth.token.ignore.portlets


I'm Using server resource(AJAX) method. for submitting form. Whether any to append that parameter in url for server resource method.

In addition of above i checked in myaccount portlet also.There is no p_auth value in url.




Thanks In Advance
Manish Yadav
Attachment

Attachments: liferay_p_paramter.png (28.8k)
Tomas Polesovsky
RE: Prevent CSRF attack
July 25, 2013 1:42 PM
Answer

Tomas Polesovsky

LIFERAY STAFF

Rank: Liferay Master

Posts: 578

Join Date: February 13, 2009

Recent Posts

Ahh, got it emoticon

You are right, we don't check p_auth in resource serving.

To implement CSRF checking you need 2 things:
1, Include it into URL when submitting
2, Check it on server side and deny access to the resource when the token is invalid

For #1:
In 6.1 GA2 there is a global JS variable named Liferay.authToken. It contains CSRF token you can use from your JS and include it into the resource request call.

For #2:

it's up to you where you check it. Some thoughts:
* I don't think it's a good to check it on a global portal level, this could make portal unstable
* It's better to check it only for your portlet/functionality you want to guard.

To the implementation
- I'd create a portlet filter for the resource phase
- there I'd check the CSRF token - use AuthTokenUtil.getToken(PortalUtil.getHttpServletRequest(resourceRequest)) to obtain the token

You can then only map the filter to portlet(s) you want to guard using the CSRF token.

I hope it would to work, I didn't try it emoticon

-- tom +
Mikhail Zheludev
RE: Prevent CSRF attack
August 8, 2013 3:41 AM
Answer

Mikhail Zheludev

Rank: Junior Member

Posts: 43

Join Date: January 8, 2013

Recent Posts

Tomáš,


For #1:
In 6.1 GA2 there is a global JS variable named Liferay.authToken. It contains CSRF token you can use from your JS and include it into the resource request call.


How it can be implemented for GA1 ?
Tomas Polesovsky
RE: Prevent CSRF attack
August 8, 2013 6:59 AM
Answer

Tomas Polesovsky

LIFERAY STAFF

Rank: Liferay Master

Posts: 578

Join Date: February 13, 2009

Recent Posts

Mihail Zheludev:
Tomáš,


For #1:
In 6.1 GA2 there is a global JS variable named Liferay.authToken. It contains CSRF token you can use from your JS and include it into the resource request call.


How it can be implemented for GA1 ?


It's value of AuthTokenUtil.getToken(request) - https://github.com/liferay/liferay-portal/blob/6.1.1-ga2/portal-web/docroot/html/common/themes/top_js.jspf#L303

To have it the same as it is in 6.1 GA2, I'd create a JSP Hook which runs with each page (as it is with top_js.jspf) and initialize the JS variable there.

You can also put it into Theme that you use or your portlet.
Mikhail Zheludev
RE: Prevent CSRF attack
August 9, 2013 5:52 AM
Answer

Mikhail Zheludev

Rank: Junior Member

Posts: 43

Join Date: January 8, 2013

Recent Posts

Tomáš Polešovský,

Thanks!
Mikhail Zheludev
RE: Prevent CSRF attack
August 30, 2013 12:07 AM
Answer

Mikhail Zheludev

Rank: Junior Member

Posts: 43

Join Date: January 8, 2013

Recent Posts

Tomáš Polešovský,

Can you tell, does GA1 implement this protection by default for render and action requests?
Tomas Polesovsky
RE: Prevent CSRF attack
September 2, 2013 5:08 AM
Answer

Tomas Polesovsky

LIFERAY STAFF

Rank: Liferay Master

Posts: 578

Join Date: February 13, 2009

Recent Posts

Mihail Zheludev:
Tomáš Polešovský,

Can you tell, does GA1 implement this protection by default for render and action requests?


Yes, but only for action requests. Portlet render requests should not change portlet state.
Mikhail Zheludev
RE: Prevent CSRF attack
September 3, 2013 12:38 AM
Answer

Mikhail Zheludev

Rank: Junior Member

Posts: 43

Join Date: January 8, 2013

Recent Posts

Thanks a lot!
Marcus Högberg
RE: Prevent CSRF attack
September 6, 2013 1:33 AM
Answer

Marcus Högberg

Rank: New Member

Posts: 1

Join Date: September 6, 2013

Recent Posts

We've had a security company run penetration tests on our site and their report indicates that the "Document and media" portlet is vunerable to CSRF attacks.
Does anybody know why "document_library/edit_file_entry" is put under auth.token.ignore.actions? Is it safe to remove this struts action from the ignore list?
Tomas Polesovsky
RE: Prevent CSRF attack
September 9, 2013 1:27 AM
Answer

Tomas Polesovsky

LIFERAY STAFF

Rank: Liferay Master

Posts: 578

Join Date: February 13, 2009

Recent Posts

Hi Marcus,

I believe that is because of some limitation of flash file uploader. But it's possible that this was already fix and is there only for historical reasons.
Tomas Polesovsky
RE: Prevent CSRF attack
February 9, 2014 6:45 AM
Answer

Tomas Polesovsky

LIFERAY STAFF

Rank: Liferay Master

Posts: 578

Join Date: February 13, 2009

Recent Posts

Hi Long,

Long Nguyen Hai:
Tomáš Polešovský:

For #1:
In 6.1 GA2 there is a global JS variable named Liferay.authToken. It contains CSRF token you can use from your JS and include it into the resource request call.

Hi,
As my understand this token might have been implemented as a method of protecting against cross-site request forgeries.


True.

Long Nguyen Hai:
While this method does provide some protection, it is easily bypassed since the token is stored in an object in the JavaScript called Liferay.authToken.


I don't believe it can be easily bypassed with nowadays browsers (without modifying victim's browser, sniffing traffic, using other vulnerability in browser / portal, etc.).

Can you share your idea on how would such CSRF attack look like?

Long Nguyen Hai:
So with this token can users have the server execute Ruby,Python,Javascript,Groovy and Beanshell ?


The token isn't directly related to a server side scripting. It's just a protection against CSRF.

Admins are able to execute the scripting from Control panel Console or you can implement such functionality yourself inside your plugin. See https://www.liferay.com/documentation/liferay-portal/6.2/user-guide/-/ai/using-scripting-for-advanced-flexibilit-liferay-portal-6-2-user-guide-19-en