CSRF vulnerability:

 

Cross-site request forgery (also known as CSRF) is a web security vulnerability that allows an attacker to induce users to perform actions that they do not intend to perform. It allows an attacker to partly circumvent the origin policy, which is designed to prevent different websites from interfering with each other. For example, this might be to change the email address on their account, to change their password, or to make a funds transfer, etc. Depending on the nature of the action, the attacker might be able to take full control of all the application's data and functionality.

 

Solution:

 

The most robust way to defend against CSRF attacks is to include a CSRF token within relevant requests.

To prevent this in Smarten, we have to set Security Request Matcher in the application configuration file.

In Security-config.xml file (/smarten/WEB-INF/security-config.xml), the below given code- line has to be uncommented / added.

 

<csrfrequest-matcher-ref="csrfSecurityRequestMatcher"/>

 

Once this is set, for every request in Smarten, one CSRF token will be appended and strictly validated at the server. This means, all the http requests will be intercepted and if the token is not matched, then such requests will be considered as forbidden requests and won’t be processed further (As shown below).

 

 

CSRF SECURITY MESSAGE