Managing Cross-Site Request Forgery (CSRF) with GeneXus

Unofficial Content

Cross-Site Request Forgery OWASP definition:

"Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated. CSRF attacks specifically target state-changing requests, not theft of data since the attacker has no way to see the response to the forged request. With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker's choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state-changing requests like transferring funds, changing their email address, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application."

For more information on the attack, please visit the OWASP site.

Actions by GeneXus

  • On POST requests: GeneXus automatically includes a token. If the token is missing from the request or it is incorrect, the request is not answered.
  • On GET requests: GeneXus does not modify any data over GET requests by default. 
  • It is recommended to use parameter encryption to increase the attack's difficulty.

Actions by developers

  • On POST requests: Use the default HTTP method to execute business logic.
    • No action required.
  • On GET requests: This method is used by GeneXus to call an object for the first time. Verify if you are not executing business logic within the Start Event. You can attach the business logic to the POST request execution using "if &HttpRequest.Method == 'POST'" conditional.
    • Usually, this happens on Main HTTP Procedure. In this case, consider this solution:
      • Generate a nonce on the caller Web Panel, store it on the Web Session and pass it to the Procedure as a parameter.
      • Before executing the business logic on the Procedure obtain the nonce from the Web Session and compare it with the nonce from the parameter. If it is not a match, do not execute the business logic. Remember to eliminate the nonce from the session once obtained, the nonce must not be repeated.
      • Security Scanner helps to detect this scenario with case code #100.

This documentation was made in collaboration with GeneXus Consulting.