Hi,
I am working on a traditional web application and client arranged a third party VPAT testing. In the result of testing we got one issue related to Cross site request Forgery (CSRF). Their suggestion is : Properly validate CSRF tokens for all requests.
When I searched for this for OutSystems then found it is enable by default on OutSysetms 10 or after. So am not sure how to implement it. Please suggest.
Regards
Hi Vikas,
The OutSystems platform already has built-in protection against CSRF attacks.
For more information check out this article.
Regards,
Nordin
No you do not need to enable anything. This is automatically handled by the OutSystems platform.
I once had that same finding coming out of a penetration testing tool and it turned out to be inaccurately flagged as a CSRF attack.
As I understood from OutSystems Support back then, the value of the CSRF token is included in the encrypted ViewState that is sent with each request. The used CSRF token is the value of the osVisitor cookie. When the request is received on the server, the platform decrypts the ViewState using a local private key that is never shared and checks if the CSRF token sent in the ViewState is the same as the one the osVisitor cookie contains. Since the ViewState could only be decrypted using that local private key, it is not possible for an attacker to successfully forge a request.
Hope this helps!
Hi Nordin,
Thanks for update. But do we need to enable it manually or something which we need to enable from service center or lifetime for this. As you said its already in built but am not sure why VPAT testing result showing this vulnerability. Kindly suggest.
Thanks for explanation. Your answer will help me to explain this to client.
Regards.