Query on Cross-Site Request Forgery (CSRF)

Query on Cross-Site Request Forgery (CSRF)

  

Hi OutSystems Engineers,

https://success.outsystems.com/Support/Enterprise_Customers/Maintenance_and_Operations/How_OutSystems_Platform_helps_you_develop_secure_applications/05_Protecting_OutSystems_apps_from_Cross_Site_Request_Forgery_attacks

I understand from the above URL that OutSystems have built in protection against CSRF. I would like to clarify if CSRF is handled in both Mobile app and web app of OutSystems. Are there anything i need to take note as a developer to ensure that this protection is working as it is supposed to.


I would like to also understand where is the CSRF token stored. Is the CSRF handled via the encrypted input value of "OSVSTATE" in forms.

Example: <input type="hidden" name="__OSVSTATE" id="__OSVSTATE" value="">

Knowing this allows me to identify false positives when doing Web vulnerability scanning.


Thanks a lot.

regards,

Yuan Fa


Hi Yuan,

I think mobile is also handled.

See https://success.outsystems.com/Documentation/10/Managing_the_Applications_Lifecycle/Secure_the_Applications/Configure_Mobile_App_Authentication

Verifying Authentication Cookies

When executing a server call, the mobile app sends the authentication cookies to the server, having a CSRF token in a “X-CSRF-Token” request header.

The server validates the request by checking the following conditions:

  1. The request includes the X-CSRF-Token header;
  2. The request contains the two authentication cookies;
  3. Cookies information is authentic and was not forged;
  4. Login expiration period has not been reached.

Regards,

Daniel

Hi Daniel,

Thanks for the reply. Actually, i am more curious about the web aspect of OutSystems.

Does this means that web app uses the same technique as mobile app to handle CSRF, by having a CSRF token in a "X-CSRF-Token" request header?

regards,

Yuan Fa


Daniël Kuhlmann wrote:

Hi Yuan,

I think mobile is also handled.

See https://success.outsystems.com/Documentation/10/Managing_the_Applications_Lifecycle/Secure_the_Applications/Configure_Mobile_App_Authentication

Verifying Authentication Cookies

When executing a server call, the mobile app sends the authentication cookies to the server, having a CSRF token in a “X-CSRF-Token” request header.

The server validates the request by checking the following conditions:

  1. The request includes the X-CSRF-Token header;
  2. The request contains the two authentication cookies;
  3. Cookies information is authentic and was not forged;
  4. Login expiration period has not been reached.

Regards,

Daniel