How to create and validate CSRF tokens in traditional web applications

Rank: #439

Solved

How to create and validate CSRF tokens in traditional web applications

Question

Hi,

I am working on a traditional web application and client arranged a third party VPAT testing. In the result of testing we got one issue related to Cross site request Forgery (CSRF). Their suggestion is : Properly validate CSRF tokens for all requests.

When I searched for this for OutSystems then found it is enable by default on OutSysetms 10 or after. So am not sure how to implement it. Please suggest.

Regards

on 2020-10-30

Nordin Ahdi

mvp_badge

MVP

Rank: #71

Solution

Hi Vikas,

The OutSystems platform already has built-in protection against CSRF attacks.

For more information check out this article.

https://success.outsystems.com/Support/Security/How_the_OutSystems_Platform_Helps_You_Develop_Secure_Applications/Protecting_OutSystems_apps_from_Cross_Site_Request_Forgery_attacks

Regards,

Nordin

on 2020-10-30

Vikas Sharma

Rank: #439

Hi Nordin,

Thanks for update. But do we need to enable it manually or something which we need to enable from service center or lifetime for this. As you said its already in built but am not sure why VPAT testing result showing this vulnerability. Kindly suggest.

Regards

on 2020-10-30

1 reply

on 2020-10-30

Show thread

Hide thread

Nordin Ahdi

mvp_badge

MVP

Rank: #71

Hi Vikas,

No you do not need to enable anything. This is automatically handled by the OutSystems platform.

I once had that same finding coming out of a penetration testing tool and it turned out to be inaccurately flagged as a CSRF attack.

As I understood from OutSystems Support back then, the value of the CSRF token is included in the encrypted ViewState that is sent with each request. The used CSRF token is the value of the osVisitor cookie. When the request is received on the server, the platform decrypts the ViewState using a local private key that is never shared and checks if the CSRF token sent in the ViewState is the same as the one the osVisitor cookie contains. Since the ViewState could only be decrypted using that local private key, it is not possible for an attacker to successfully forge a request.

Hope this helps!

Regards,

Nordin

on 2020-10-30

Vikas Sharma

Rank: #439

Hi Nordin,

Thanks for explanation. Your answer will help me to explain this to client.

Regards.

on 2020-10-30

Training

Documentation

How to create and validate CSRF tokens in traditional web applications