From a38877b02f8d17916fac847054b38c38e8c7cc27 Mon Sep 17 00:00:00 2001 From: Adriano Ramos Date: Wed, 21 Apr 2021 18:49:23 +0100 Subject: [PATCH 1/2] Added how the token adds csrf protection --- src/security/develop-secure-apps/csrf-attacks.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/security/develop-secure-apps/csrf-attacks.md b/src/security/develop-secure-apps/csrf-attacks.md index b2a75d547..2a2540584 100644 --- a/src/security/develop-secure-apps/csrf-attacks.md +++ b/src/security/develop-secure-apps/csrf-attacks.md @@ -23,7 +23,11 @@ Protection against CSRF is shared between the client devices and the application * For traditional web applications find the token definition in [this article](https://success.outsystems.com/Support/Enterprise_Customers/Maintenance_and_Operations/Cookie_Usage_in_Web_Applications). * Reactive web applications the **nr2** token protects against CSRF attacks. Find detailed information about the token [this article](https://success.outsystems.com/Documentation/11/Managing_the_Applications_Lifecycle/Secure_the_Applications/Configure_App_Authentication#Authentication_Cookies). -However, the token by itself, doesn't provide full CSRF protection. +Taking a traditional web application as an example, the CSRF token used is the value of the cookie osVisitor, generated the first time the end-user accesses the web server. The implementation of the protection mechanism consists of including the value of the CSRF token in the encrypted ViewState that is sent with each request. On the server side, when a request is received, the platform decrypts the ViewState and checks if the CSRF token sent in the ViewState is the same that the cookie contains to validate the request. + +The effectiveness of this mechanism is ensured by the encryption of the ViewState with the value of osVisitor. The ViewState is encrypted by the server, using a local private key that is never shared. Therefore, without having access to the private key, it’s not possible for an attacker to successfully forge a request. + +However, the token by itself, doesn't provide full CSRF protection. A browser performing a request to any website, attaches cookies associated to the request url. To avoid this kind of scenarios, recent versions of the commonly used browsers started enforcing the usage of the SameSite cookie. From 58122e6a09d8fa154d1f3f374a1a0d520f0e564f Mon Sep 17 00:00:00 2001 From: Ana Martins <60753223+OutSystemsAMM@users.noreply.github.com> Date: Fri, 23 Apr 2021 15:57:42 +0100 Subject: [PATCH 2/2] Update csrf-attacks.md --- src/security/develop-secure-apps/csrf-attacks.md | 1 + 1 file changed, 1 insertion(+) diff --git a/src/security/develop-secure-apps/csrf-attacks.md b/src/security/develop-secure-apps/csrf-attacks.md index 2a2540584..45ceb25d3 100644 --- a/src/security/develop-secure-apps/csrf-attacks.md +++ b/src/security/develop-secure-apps/csrf-attacks.md @@ -47,3 +47,4 @@ With OutSystems, the development of APIs is entirely in the responsibility of th ## More information To learn how to protect your OutSystems apps against other common types of attacks, check [how OutSystems helps you develop secure applications](intro.md). +