Difference between revisions of "ADF AjaxProxy CSRF Safe Mode"

From ADF Docs
Jump to: navigation, search
(Enable the CSRF Safe Mode for local ajaxProxy requests)
 
(24 intermediate revisions by 2 users not shown)
Line 1: Line 1:
 +
'''IMPORTANT''': This feature requires ADF 2.5 or above and CommonSpot 10.6.1 or 10.5.2 or above.
 +
 +
== ADF AjaxProxy CSRF Safe Mode ==
 +
The CommonSpot 10.6.1, 10.5.2 and the ADF 2.5 releases have added enhanced security to mitigate "Cross-Site Request Forgery" (CSRF) vulnerabilities.
 +
 +
ADF 2.5's security enhancement, "ajaxProxy CSRF Safe Mode" has been disabled by default and must be manually enabled to take advantage of this feature. This allows developers an opportunity to update their ADF and ADF App ajaxProxy related customizations, before enabling the CSRF attack prevention validation when using the ADF's AjaxProxy.
 +
 
== Enable the CSRF Safe Mode for local ajaxProxy requests ==
 
== Enable the CSRF Safe Mode for local ajaxProxy requests ==
ADF 2.5's new security enhancement, "ajaxProxy CSRF Safe Mode" is disabled by default. This allows developers an opportunity to update their ADF and ADF App ajaxProxy related customizations, before enabling the CSRF attack prevention validation.
+
If your site is only using out of the box ADF and ADF Applications then you should enable the "ajaxProxy CSRF Safe Mode" immediately.
 +
 
 +
=== How to Enable CSRF Safe Mode ===
 +
* In your '''ADF.cfc''' in the /_cs_apps/ folder in your site root, add the following line:
 +
enableADFcsrfSafeMode(true);
 +
 
 +
* For new ADF installs, update the "enableADFcsrfSafeMode" line found in your site's '/_cs_apps/ADF.cfc' file, from "false" to "true" (see above).
  
If your site is only using out of the box ADF and ADF Applications then you should enable the "ajaxProxy CSRF Safe Mode" immediately install or an upgrade.
+
'''WARNING''': Enabling the "CSRF Safe Mode" without using the ADF 2.5 ready Apps or updating your custom ajaxProxy local requests will limit functionality!
  
== How to Enable CSRF Safe Mode ==
+
=== Update Custom Local AjaxProxy Requests ===
# In your '''ADF.cfc''' in the /_cs_apps/ folder in your site root, add the following line:
+
If your site has custom code which uses the ADF's ajaxProxy for local requests, before you can enable "ajaxProxy CSRF Safe Mode" using the steps above, you will need to add the CSRF_Token parameter to your method call. Adding this extra parameter to the request will get the CSRF_token session token which is known by the server.
enableADFcsrfSafeMode(true);
 
  
For a new ADF installs, update the line enableADFcsrfSafeMode(false); found in your site's /_cs_apps/ADF.cfc file, from "false" to "true" (see above).
+
When the "ajaxProxy CSRF Safe Mode" is enabled, the CSRF token key/value pair is required when making local AjaxProxy requests along with your other request parameters either as a Data or URL parameter, otherwise your ajaxProxy requests will not validate and fail.  
  
If your site has custom code which uses the ADF's ajaxProxy for local requests before you can enable "ajaxProxy CSRF Safe Mode", using the steps above, you will need to add the CSRF_Token parameter and the method call to get the CSRF_token value to your ajaxProxy calls. Once the "ajaxProxy CSRF Safe Mode" is enabled, the CSRF token key/value pair is required to be passed along with the local request as either a Data or URL parameter, otherwise your ajaxProxy requests will not validate and fail.  
+
==== CSRF_Token as a Data parameter (using jQuery.post): ====
 +
<pre>
 +
<cfset csrfToken = application.ADF.csSecurity.getCSRF_Token()>
  
CSRF_Token as a Data parameter (using a jQuery.post):
+
<cfoutput>
<source>
+
<script>
 
jQuery.post("#application.ADF.ajaxProxy#",
 
jQuery.post("#application.ADF.ajaxProxy#",
 
{
 
{
 
   bean: 'dataService',
 
   bean: 'dataService',
 
   method: 'getData',
 
   method: 'getData',
   CSRF_Token: '#application.ADF.csSecurity.getCSRF_Token()#'
+
   CSRF_Token: '#TRIM(csrfToken)#'
 
}
 
}
</source>
+
...
 
+
</cfoutput>
 +
</pre>
  
CSRF_Token as a URL parameter (using a jQuery.get):
+
==== CSRF_Token as a URL parameter (using jQuery.get): ====
<source type="html">
+
<pre>
jQuery.get("#application.ADF.ajaxProxy#?bean=dataService&method=getData&CSRF_Token=#application.ADF.csSecurity.getCSRF_Token()#")
+
<cfset csrfToken = application.ADF.csSecurity.getCSRF_Token()>
</source>
 
  
 +
<cfoutput>
 +
jQuery.get("#application.ADF.ajaxProxy#?bean=dataService&method=getData&CSRF_Token=#TRIM(csrfToken)#")
 +
</cfoutput>
 +
</pre>
  
  WARNING: Enabling the "CSRF Safe Mode" without using the ADF 2.5 ready Apps or updating custom ajaxProxy local requests will limit functionality!
+
  '''Note''': Due to a CFML output issue which adds additional spaces to the value when calling a method directly in a JavaScript block, it is best to set a local variable when calling the method and then reference the local variable in your JavaScript.

Latest revision as of 15:22, 15 April 2020

IMPORTANT: This feature requires ADF 2.5 or above and CommonSpot 10.6.1 or 10.5.2 or above.

ADF AjaxProxy CSRF Safe Mode

The CommonSpot 10.6.1, 10.5.2 and the ADF 2.5 releases have added enhanced security to mitigate "Cross-Site Request Forgery" (CSRF) vulnerabilities.

ADF 2.5's security enhancement, "ajaxProxy CSRF Safe Mode" has been disabled by default and must be manually enabled to take advantage of this feature. This allows developers an opportunity to update their ADF and ADF App ajaxProxy related customizations, before enabling the CSRF attack prevention validation when using the ADF's AjaxProxy.

Enable the CSRF Safe Mode for local ajaxProxy requests

If your site is only using out of the box ADF and ADF Applications then you should enable the "ajaxProxy CSRF Safe Mode" immediately.

How to Enable CSRF Safe Mode

  • In your ADF.cfc in the /_cs_apps/ folder in your site root, add the following line:
enableADFcsrfSafeMode(true);
  • For new ADF installs, update the "enableADFcsrfSafeMode" line found in your site's '/_cs_apps/ADF.cfc' file, from "false" to "true" (see above).
WARNING: Enabling the "CSRF Safe Mode" without using the ADF 2.5 ready Apps or updating your custom ajaxProxy local requests will limit functionality!

Update Custom Local AjaxProxy Requests

If your site has custom code which uses the ADF's ajaxProxy for local requests, before you can enable "ajaxProxy CSRF Safe Mode" using the steps above, you will need to add the CSRF_Token parameter to your method call. Adding this extra parameter to the request will get the CSRF_token session token which is known by the server.

When the "ajaxProxy CSRF Safe Mode" is enabled, the CSRF token key/value pair is required when making local AjaxProxy requests along with your other request parameters either as a Data or URL parameter, otherwise your ajaxProxy requests will not validate and fail.

CSRF_Token as a Data parameter (using jQuery.post):

<cfset csrfToken = application.ADF.csSecurity.getCSRF_Token()>

<cfoutput>
<script>
jQuery.post("#application.ADF.ajaxProxy#",
{ 	
  bean: 'dataService',
  method: 'getData',
  CSRF_Token: '#TRIM(csrfToken)#'
}
...
</cfoutput>

CSRF_Token as a URL parameter (using jQuery.get):

<cfset csrfToken = application.ADF.csSecurity.getCSRF_Token()>

<cfoutput>
jQuery.get("#application.ADF.ajaxProxy#?bean=dataService&method=getData&CSRF_Token=#TRIM(csrfToken)#")
</cfoutput>
Note: Due to a CFML output issue which adds additional spaces to the value when calling a method directly in a JavaScript block, it is best to set a local variable when calling the method and then reference the local variable in your JavaScript.