Securing Integration Server with CSRF Guard

What is CSRF?

Cross-Site Request Forgery (CSRF) is one of the most common attacks on websites and web applications. A CSRF attack occurs when a user inadvertently loads a webpage that contains a malicious request. This webpage sends a malicious request to a website or web application using the identity and privileges of the user to perform an undesired action, such as changing configurations or invoking a service.

A web application is vulnerable to CSRF attacks if the application performs actions based on inputs from authenticated users but does not require users to authorize specific actions. That is, if you are authenticated to a web application by a cookie stored in your web browser, you could unknowingly send a malicious HTTP or HTTPS request to the application.

How Does Integration Server Prevent CSRF Attacks?

Integration Server uses the CSRF guard feature to prevent CSRF attacks. Integration Server prevents CSRF attacks by creating one CSRF secure token per session when it receives authorization requests from Integration Server Administrator or other client applications. Integration Server adds this CSRF secure token to subsequent requests until the session expires. The CSRF token expires when the session ends.

When you send a request, Integration Server verifies the existence and validity of the token in the request and compares it to the token in the session. If there is no token in the request, or if the token in the request does not match the token in the session, Integration Server terminates the request. Integration Server also logs the event as a potential CSRF attack in the server log and the security audit log.

You use the Integration Server Administrator to enable or disable CSRF guard in Integration Server.

Integration Server inserts and verifies CSRF secure tokens for:

HTTP requests from a web browser for dynamic server pages (DSPs)
HTTP request for invoke, rest, or restv2 directives
Ajax XMLHttpRequests

Understanding CSRF Guard Terminology

Before configuring CSRF guard in Integration Server, you may find it helpful to first understand the following terminology used with reference to CSRF guard in Integration Server:

Excluded User Agents.The user agent value is the string that corresponds to the User-Agent HTTP header in the HTTP request. Excluded user agents are user agents for which Integration Server does not enforce CSRF guard. That is, Integration Server will not check for CSRF tokens on requests from these excluded user agents.
You can specify the user agents as regular expressions. The asterisk (*) is the only wildcard character allowed in the regular expression. To separate the entries, enter one user agent per line. Press ENTER to separate the lines.
For example:
```
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
```
```
Mozilla/5.0 (iPhone; U; CPU iPhone OS 3_0 like Mac OS X; en-us) 
AppleWebKit/528.18 (KHTML, like Gecko) Version/4.0 Mobile/7A341 
Safari/528.16
```
```
*Mozilla*
```
Landing Pages. The home pages of Integration Server packages are referred to as landing pages. Integration Server will not check for CSRF secure tokens in the landing pages, but the server will insert a token for that page. Integration Server guards all further requests from these landing pages with CSRF secure tokens.

You cannot specify landing pages as regular expressions. To separate the entries, enter one landing page per line. Press ENTER to separate the lines.
For example:
```
                        MyPackage/index.dsp
```
```
                        MyPackage/index.html
```

Unprotected URLs. The URLs for which Integration Server does not have to check for CSRF secure tokens are referred to as unprotected URLs. Integration Server requires that the requests coming from all URLs that are not specified in this field must contain CSRF secure tokens.

If you specify a DSP page as an unprotected URL, Integration Server will not insert a CSRF secure token for that file. If you attempt to access a protected page from this DSP page, Integration Server issues an error or redirects you to the home page of Integration Server Administrator depending on your Denial Action configuration.

You can specify unprotected URLs as regular expressions. The asterisk (*) is the only wildcard character allowed in the regular expression. To separate the entries, enter one URL per line. Press ENTER to separate the lines.

The following table provides examples of URLs for Unprotected URLs text area.

In this example...	Integration Server does not check for CSRF secure token in...
`MyPackage/abc.dsp`	The abc.dsp page in the MyPackage package.
`MyPackage/*`	All the pages in the MyPackage package.
`invoke/pub.math:addInts`	A request invoking the pub.math:addInts service.
`invoke/pub*`	Requests invoking all services starting with “pub”.
`invoke/*`	Any invoke requests.

Denial Action. The action you want Integration Server to perform when it detects that a request does not contain a CSRF secure token or contains an invalid CSRF secure token. You can configure Integration Server to:
- Redirect the user to the home page of Integration Server Administrator or to a webpage that displays a warning that Integration Server has detected a CSRF attack.
- Issue an error and terminate the request.

Configuring CSRF Guard in Integration Server

About this task

Keep the following points in mind when you configure CSRF guard in Integration Server:

When you enable or disable CSRF guard in Integration Server, you must refresh the web browser for the changes to take effect.
Integration Server does not provide protection from CSRF attacks in the following situations:
- Requests from users with execute access to invoke services that have the Anonymous ACL assigned to them.
- Requests from Integration Server Administrator or a client application after an Integration Server session has timed out. In such cases, Integration Server will redirect the user or issue an error. You must refresh the web browser to continue.
- Requests from user agents that are different from the user agent that was used when creating the session.

To configure CSRF guard in Integration Server

Procedure

Open Integration Server Administrator.
In the Navigation panel, select Security > CSRF Guard > Edit CSRF Guard Settings.
Select the Enabled check box to enable CSRF guard in Integration Server.
In the Excluded User Agents text area, enter the user agents for which CSRF guard is not to be enforced.

The user agent value is the string that corresponds to the User-Agent HTTP header in the HTTP request.

You can specify the user agents as regular expressions. The asterisk (*) is the only wildcard character allowed in the regular expression. To separate the entries, enter one user agent per line. Press ENTER to separate the lines.
In the Landing Pages text area, enter the list of landing pages for the packages in your Integration Server. Integration Server will not check for CSRF secure tokens in the landing pages, but the server will insert a token for that page. Integration Server guards all further requests from these landing pages with CSRF secure tokens.

You cannot specify landing pages as regular expressions. To separate the entries, enter one landing page per line. Press ENTER to separate the lines.
In the Unprotected URLs text area, enter the URLs for which Integration Server does not have to check for CSRF secure tokens.

You can specify unprotected URLs as regular expressions. The asterisk (*) is the only wildcard character allowed in the regular expression. To separate the entries, enter one URL per line. Press ENTER to separate the lines.

Note: Do not specify landing pages in the Unprotected URLs text area. If you specify landing page URLs in both Landing Pages and Unprotected URLs text areas, the landing page option will take precedence and Integration Server will not check for CSRF secure tokens in those pages.

From the Denial Action options, select the action that you want Integration Server to perform when it detects that a request does not contain a CSRF secure token or contains an invalid CSRF secure token.

Select... To...

Select...	To...
Error	Issue an “access denied” error and terminate the request. This is the default. If you select Error, Integration Server issues the following error when it detects that a request does not contain a CSRF secure token or contains an invalid CSRF secure token: `Access Denied. Invalid CSRF secure token.` This error message suggests that Integration Server has detected a CSRF attack. Integration Server also issues this error message for the following situations: Integration Server session has expired. The web browser is not refreshed after enabling CSRF guard. Another user who is connected to the same Integration Server restarted Integration Server. In these cases, refresh the web browser to continue.
Redirect	Redirect the user as follows: If the CSRF threat is detected when a user accesses a DSP page in the Integration Server Administrator, redirect the user to the home page of Integration Server Administrator. If the CSRF threat is detected in a URL or client request that includes an invoke, a rest, or a restv2 directive, redirect the user to a webpage that displays a warning that Integration Server has detected a CSRF attack. The user must click Continue to execute the service. Note: Integration Server redirects the user to this page only if the client application accepts text/html as the content type. If the client application does not accept text/html, Integration Server returns an access denied error.

Error

Issue an “access denied” error and terminate the request. This is the default.

If you select Error, Integration Server issues the following error when it detects that a request does not contain a CSRF secure token or contains an invalid CSRF secure token:

Access Denied. Invalid CSRF secure token.

This error message suggests that Integration Server has detected a CSRF attack.

Integration Server also issues this error message for the following situations:

Integration Server session has expired.
The web browser is not refreshed after enabling CSRF guard.
Another user who is connected to the same Integration Server restarted Integration Server.

In these cases, refresh the web browser to continue.

Redirect

Redirect the user as follows:

If the CSRF threat is detected when a user accesses a DSP page in the Integration Server Administrator, redirect the user to the home page of Integration Server Administrator.
If the CSRF threat is detected in a URL or client request that includes an invoke, a rest, or a restv2 directive, redirect the user to a webpage that displays a warning that Integration Server has detected a CSRF attack. The user must click Continue to execute the service.
Note: Integration Server redirects the user to this page only if the client application accepts text/html as the content type. If the client application does not accept text/html, Integration Server returns an access denied error.

Click Save Changes and refresh the web browser for the changes to take effect.

Limitations when Configuring CSRF Guard in Integration Server

When you enable or disable CSRF guard in Integration Server, you must refresh the web browser.
You cannot use the CSRF guard feature if your Integration Server runs as part of a non-clustered group of Integration Servers in which the ISInternal functional alias on each server points to the same database.
Integration Server does not insert CSRF secure tokens in custom DSP pages that use JavaScript Location object, such as document.location and window.location.href. You must update these pages manually.
You do not have to define the JavaScript variables _csrfTokenNm_, _csrfTokenVal_, is_csrf_guard_enabled, and needToInsertToken. But, you must import Integration Server_directory \instances\instance_name\packages\WmRoot\csrf-guard.js to your DSP before using these variables.
Integration Server inserts CSRF secure tokens in the links in DSPs only if these links point to a DSP. If these links do not point to a DSP, you must update these links manually to include the CSRF secure tokens.
For example, if you have the following code in your DSP:

<a href="/invoke/wm.sap.Transaction/viewAs?type=xml"></a>

You must replace it with the following code:

<a href="/invoke/wm.sap.Transaction/viewAs?type=xml&secureCSRFToken=%value secureCSRFToken%"></a>

For more information about using CSRF guard in DSPs, see Securing DSPs Against CSRF Attacks .