Hi OutSystems Engineers,
https://success.outsystems.com/Support/Enterprise_Customers/Maintenance_and_Operations/How_OutSystems_Platform_helps_you_develop_secure_applications/05_Protecting_OutSystems_apps_from_Cross_Site_Request_Forgery_attacks
I understand from the above URL that OutSystems have built in protection against CSRF. I would like to clarify if CSRF is handled in both Mobile app and web app of OutSystems. Are there anything i need to take note as a developer to ensure that this protection is working as it is supposed to.
I would like to also understand where is the CSRF token stored. Is the CSRF handled via the encrypted input value of "OSVSTATE" in forms.
Example: <input type="hidden" name="__OSVSTATE" id="__OSVSTATE" value="">
Knowing this allows me to identify false positives when doing Web vulnerability scanning.
Thanks a lot.
regards,
Yuan Fa
Hi Yuan,
I think mobile is also handled.
See https://success.outsystems.com/Documentation/10/Managing_the_Applications_Lifecycle/Secure_the_Applications/Configure_Mobile_App_Authentication
When executing a server call, the mobile app sends the authentication cookies to the server, having a CSRF token in a “X-CSRF-Token” request header.
The server validates the request by checking the following conditions:
Regards,
Daniel
Hi Daniel,
Thanks for the reply. Actually, i am more curious about the web aspect of OutSystems.
Does this means that web app uses the same technique as mobile app to handle CSRF, by having a CSRF token in a "X-CSRF-Token" request header?
Daniël Kuhlmann wrote:
Please read at (A8) in document https://success.outsystems.com/Evaluation/Security/02_Security_of_OutSystems_applications/00_Building_secure_applications_with_OutSystems