Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Added how the token adds csrf protection #10

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Added how the token adds csrf protection #10

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
a38877b
Added how the token adds csrf protection
OS-adrianoramos Apr 21, 2021
58122e6
Update csrf-attacks.md
OutSystemsAMM Apr 23, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 6 additions & 1 deletion src/security/develop-secure-apps/csrf-attacks.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,11 @@ Protection against CSRF is shared between the client devices and the application
* For traditional web applications find the token definition in [this article](https://success.outsystems.com/Support/Enterprise_Customers/Maintenance_and_Operations/Cookie_Usage_in_Web_Applications).
* Reactive web applications the **nr2<user\>** token protects against CSRF attacks. Find detailed information about the token [this article](https://success.outsystems.com/Documentation/11/Managing_the_Applications_Lifecycle/Secure_the_Applications/Configure_App_Authentication#Authentication_Cookies).

However, the token by itself, doesn't provide full CSRF protection.
Taking a traditional web application as an example, the CSRF token used is the value of the cookie osVisitor, generated the first time the end-user accesses the web server. The implementation of the protection mechanism consists of including the value of the CSRF token in the encrypted ViewState that is sent with each request. On the server side, when a request is received, the platform decrypts the ViewState and checks if the CSRF token sent in the ViewState is the same that the cookie contains to validate the request.

The effectiveness of this mechanism is ensured by the encryption of the ViewState with the value of osVisitor. The ViewState is encrypted by the server, using a local private key that is never shared. Therefore, without having access to the private key, it’s not possible for an attacker to successfully forge a request.

However, the token by itself, doesn't provide full CSRF protection.

A browser performing a request to any website, attaches cookies associated to the request url. To avoid this kind of scenarios, recent versions of the commonly used browsers started enforcing the usage of the SameSite cookie.

Expand All @@ -43,3 +47,4 @@ With OutSystems, the development of APIs is entirely in the responsibility of th
## More information

To learn how to protect your OutSystems apps against other common types of attacks, check [how OutSystems helps you develop secure applications](intro.md).