Question
SiriusXM
US
Last activity: 25 Oct 2024 3:17 EDT
Cross-Site Request Forgery : Implementation Questions
Hi, We are planning to implement Cross-Site Request Forgery Token Check at Pega end , as an Incident was reported from Pen-Test of our application. There are some questions regarding the implementation ,and how it can be QA validated.
- Would the CSRF token be sent to client as an input field on the form?
- If so, would that be a hidden field?
- As Pega is a single page application, how do we preserve through the token through out the user session if the <form> is refreshed?
- Would this token be stored on client side in form of a cookie too? If so, what would be the life time of this cookie?
We tried looking at HTML request for our application pre and post implementation of CSRF settings "Enable CSRF Token check" . In both the HTML we could find <input type="hidden" id="XCSRFToken" name="XCSRFToken" value="XXXXXXXXXXXXXXX"> Is this the token tag ?
Updated: 25 Oct 2024 3:17 EDT
Pegasystems Inc.
IN
Once CSRF is enabled from the (Configure>System>Settings>Cross-Site Request Forgery.) the CSRF token (pzctkn) is sent as part of every request header. This could be validated(from browser network trace) when ever the user submits the requests. the token is created for each session and each thread (tabthread).
The CSRF token is to prevent Cross site request forgery, the token changes with every new interaction with the server using a different Thread within the same session. i.e The CSRF token is valid for the duration of a logged-in user's session.
Pega provides a fresh CSRF token for every new thread that gets created from browser and performs the validation for every XHR request that reaches the server. Once a user logs out and logs back in the CSRF token will change as this will be a new session.
if you enable the CSRF token checkbox Pega sends the CSRF token to client and expects it back as part of request body for all the XML HTTP Requests. We generate the csrf token irrespective of csrf token check setting. If enabled only validation of the token will be done on top of generation.
Some additional details :
In Pega 8 you will see the csrf token in the http request headers and not in the URL as in Pega 7 and earlier versions of Pega.
Once CSRF is enabled from the (Configure>System>Settings>Cross-Site Request Forgery.) the CSRF token (pzctkn) is sent as part of every request header. This could be validated(from browser network trace) when ever the user submits the requests. the token is created for each session and each thread (tabthread).
The CSRF token is to prevent Cross site request forgery, the token changes with every new interaction with the server using a different Thread within the same session. i.e The CSRF token is valid for the duration of a logged-in user's session.
Pega provides a fresh CSRF token for every new thread that gets created from browser and performs the validation for every XHR request that reaches the server. Once a user logs out and logs back in the CSRF token will change as this will be a new session.
if you enable the CSRF token checkbox Pega sends the CSRF token to client and expects it back as part of request body for all the XML HTTP Requests. We generate the csrf token irrespective of csrf token check setting. If enabled only validation of the token will be done on top of generation.
Some additional details :
In Pega 8 you will see the csrf token in the http request headers and not in the URL as in Pega 7 and earlier versions of Pega.
https://docs.pega.com/security/86/enabling-and-configuring-cross-site-request-forgery-settings
Pega doesn't use cookies or URL to sent CSRF tokens, it uses two tokens which are sent as request headers:
- pzCTkn (CSRF Token) Request headers
- pzBFP (Browser Fingerprint) pzCTkn can also be derived from Pega-AAT cookie as csrf payload
Please accept the solution if you find this helpful.
Regards, Aditya Kumar