| December 7, 2021
Enabling CSRF and XSS protections in ZIETrans
Introduction
Cross-Site Request Forgery (CSRF) is a type of attack that occurs when a malicious website, email, blog, instant message, or program causes a user’s web browser to perform an unwanted action on a trusted site for which the user is authenticated. For example, this attack could transfer funds, change a password, or purchase an item in the user’s context.
CSRF tokens and same origin policy are two different ways to prevent CSRF attacks in ZIETrans. Users can select any of these or both, depending on the requirement.
A CSRF token is a unique, unpredictable secret value generated by a server-side application and sent to the client for inclusion in subsequent HTTP requests issued by the client. Once the token is issued, the server checks if the request from the client contains the expected token. If the token is missing or invalid, the request gets rejected.
The same origin policy will discard the request originating from a URL with no protocol originating from an unauthorized origin/website.
Cross-site Scripting (XSS) is a client-side code injection attack. The attacker aims to execute malicious scripts in the victim’s web browser by including malicious code in a legitimate web page or web application. Users can avoid this attack in ZIETrans by setting a few XSS security parameters in the ZIETrans project.
In this blog, we will understand how we can protect against CSRF and XSS in ZIETrans.
Steps to enable CSRF protection in ZIETrans
- Open the ZIETrans toolkit.
- Go to Project settings > other tab > Client settings.
- Select “Enable same origin policy protection” or “Enable token based protection” based on the requirement.
Figure 1: Enable same origin policy and token based protection
4. Save the changes.
5. Go to the Navigator Tab > Web Content folder > Web-INF folder. Open web.xml file.
Search for description “HatsCSRFValidationFilter”. The “target.origin” and “source.origin” parameter should be updated to your ZIETrans URL as shown below. By default, it will be blank.
<filter>
<description>
This filter will invoke to validate csrf attack </description>
<display-name>HatsCSRFValidationFilter</display-name>
<filter-name>HatsCSRFValidationFilter</filter-name>
<filter-class>
com.ibm.hats.runtime.filters.HatsCSRFValidationFilter
</filter-class>
<async-supported>false</async-supported>
<init-param>
<param-name>source.origin</param-name>
<param-value>https://localhost:9083/ZIETrans/</param-value>
</init-param>
<init-param>
<param-name>target.origin</param-name>
<param-value>https://localhost:9083/ZIETrans/</param-value>
</init-param>
</filter>
We can provide multiple URLs in the param-value as below by just separating the URL by comma:
<param-value>https://localhost:9083/ZIETrans/, https://zietransapp.com/</param-value>
Steps to enable XSS protection in ZIETrans
Open the web.xml file of ZIETrans and update the below parameters from NO to YES. By default, these parameters will be set to NO.
<init-param>
<param-name>Content-Security-Policy</param-name>
<param-value>YES</param-value>
</init-param>
<init-param>
<param-name>X-XSS-Protection</param-name>
<param-value>YES</param-value>
</init-param>
<init-param>
<param-name>X-Content-Type-Options</param-name>
<param-value>YES</param-value>
</init-param>
Comment wrap
