Anti-cross site request forgery (anti-XSRF) realm

The wl_antiXSRFRealm protects against cross-site request forgery attacks.

In a cross-site request forgery attack, unauthorized commands are transmitted from a web browser that is trusted by the targeted web site. To protect against this, IBM MobileFirst™ Platform Foundation provides an anti-cross site request forgery realm, wl_antiXSRFRealm. This realm is enabled by default in the webSecurityTest and the mobileSecurityTest.

The anti-XSRF realm is relevant only for web environments, when the application runs in a browser. It is not relevant for installed mobile applications. Also, the anti-XSRF realm does not protect against session hijacking.

The anti-XSRF technique is based on the same-origin constraint policy, which requires that after an initial request, all subsequent requests come from the same source as the initial one. A script that is loaded from a different origin is assumed to be an attacker script.

When a new session is initiated, the first request to MobileFirst Server receives an HTTP 401 ("Unauthorized") response that contains the WL-Instance_Id token. The MobileFirst framework extracts this token and uses it as a header on all subsequent requests. If this header is not present in these subsequent requests, HTTP 401 is returned again, and access to resources is denied.

The server-side realm implementation ensures that each incoming request has the correct value in the WL-Instance_Id header. If the header is missing or has an incorrect value, the realm again returns a 401 response with the challenge that contains the correct value for WL-Instance_Id. However, due to the same-origin constraint policy, the targeted web site does not allow the attacking web site to read the challenge.

The server returns a challenge and does not destroy the session in the case of a missing or incorrect token because this situation can be a result of a legitimate use case. For example, if a session is timed-out on the server side, the client might send a request with an expired token. Or, a session race condition might occur in which the client sends two or more requests simultaneously when the session is not established or is timed out. A legitimate client should be able to recover from these situations automatically, so the server sends the same challenge in the case of failure.

For more information, see Cross-site request forgery.

Note: If code that uses the anti-XSRF realm attempts to access a resource that is protected by OAuth authentication, and the client has a valid token, the MobileFirst Server is not called. As a result, the server does not check whether the request contains the header. The MobileFirst Server is called when the token expires or when the anti-XSRF realm inside the token expires. When the realm expires, the anti-XSRF authenticator is invoked and the server checks whether the request contains the header. For more information about OAuth authentication, see MobileFirst OAuth-based security model.