IBM Support

How can the referer header checker be turned off in Information Server to eliminate the error "Possible Cross-Site Request Forgery Attack." in SystemOut.log?

Troubleshooting


Problem

We see the following error messages in our SystemOut.log file: SessionFactor E Possible Cross-Site Request Forgery Attack. Request URL: http:// Referer Header: http:// Is there a way to turn off the referer header checker?

Cause

By default, Information Server tries to detect cross site scripting attacks by comparing the referer HTTP header wit the actual request URL. If they are different, that error message will show in the log file.

Diagnosing The Problem

SystemOut.log contains:

[1/5/17 12:04:51:111 CDT] 000000e0 SessionFactor E   Possible Cross-Site Request Forgery Attack. Request URL: https://9.99.9.99:9443/ibm/iis/igc HTTP Referer Header: https://server_abcd/lineageUIService?iis=https://9.99.9.99:9443/ibm/iis/igc"
[1/5/17 12:04:51:116 CDT] 000000e0 SessionFactor E com.ibm.iis.isf.security.impl.SessionFactory isXsrfSafe Possible Cross-Site Request Forgery Attack.  Request URL: https://9.99.9.99:9443/ibm/iis/igc HTTP Referer Header: https://server_abcd/lineageUIService?iis=https://9.99.9.99:9443/ibm/iis/igc.

Resolving The Problem

The referer checker is turned on by default as a potential mitigation for Cross-Site Request Forgery (CSRF) attacks. It is recommended that this feature only be turned off when necessary for debugging purposes. After troubleshooting is complete, the referer checker should be re-enabled and WebSphere restarted. It is not recommended that this be permanently disabled as it will leave the site more vulnerable for attacks.

If you need to turn it off, run the iisAdmin command to set com.ibm.iis.isf.security.RefererCheckEnabled to false:
cd $IS_HOME/ASBServer/bin
./iisAdmin.sh -set -key com.ibm.iis.isf.security.RefererCheckEnabled -value false

Once the command completes successfully, confirm that the referer checker is turned off:
./iisAdmin.sh -d -key com.ibm.iis.isf.security.RefererCheckEnabled

The command output should show the key is set to false.

You must restart WebSphere for this change to take effect.

A fix has been provided in ISF 11.5 Rollup 6. Alternatively, 11.5 Fix Pack 2 can be installed.

After installing the fix, the check must be turned back ON, and a comma separated list of domain names to check against should be provided. The domain name is the string after the first dot character of the referer host name. For example, if the referer URL is https://fed.dev.company.com/pathname, then the domain name value is dev.company.com:

  • ./iisAdmin.sh -set -key com.ibm.iis.isf.security.RefererCheckEnabled -value true
    ./iisAdmin.sh -set -key com.ibm.iis.isf.security.AllowedRefererDomainNames -value dev.company.com

Related Information

[{"Product":{"code":"SSZJPZ","label":"IBM InfoSphere Information Server"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"--","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"11.5;11.3","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

Document Information

Modified date:
04 April 2019

UID

swg21979949