Highlighted

How to configure Apache Sling Referrer filter to mitigate the CSRF attach in AEM 6.0

Avatar

Avatar

hardik11071994

Avatar

hardik11071994

hardik11071994

27-08-2018

Hi Team,

We are using AEM 6.0 , we are quite aware about things like this is at end of support soon. We are in a way to migrate to AEM 6.3, but at this moment  one urgent task for me is to resolve the vulnerability that we have on the site. Apart from the below discuss scenario if you have any other way to mitigate CSRF for AEM 6.0 then please let us know we are ready to implement it. i.e Any GitHub project which provide token functionality.

We need your help to configure properly the referrer filter such a way that it prevent the CSRF attacks.

Currently it's OOTB configurations are present for filter. We need to add allow hosts which is currently blank.

Request filter checking the referrer of modification requests.
Allow Empty


Allow an empty or missing referrer (allow.empty)
Allow Hosts
List of allowed hosts for the referrer which are added to the list of default hosts. (allow.hosts)
Allow Regexp Host
List of allowed regexp for the referrer. (allow.hosts.regexp)
Filter Methods


These methods are filtered by the filter. (filter.methods)

To prevent the CSRF, in allow host what are the entries that i should add? - Do i need to add webservers, ? we have two publish servers that communicate with two webservers. Please help us here. I am quite confuse what needs to add that properly prevent this attacks and issue. Thank you in advance.

Replies

Highlighted

Avatar

Avatar

Arun_Patidar

MVP

Total Posts

2.9K

Likes

1.0K

Correct Answer

831

Avatar

Arun_Patidar

MVP

Total Posts

2.9K

Likes

1.0K

Correct Answer

831
Arun_Patidar
MVP

27-08-2018

Highlighted

Avatar

Avatar

hardik11071994

Avatar

hardik11071994

hardik11071994

29-08-2018

Hi Arun,

We are looking for the solution for AEM 6.0 SP3. Do you have a solution for that? As I mentioned above , by white-listing the servers , will it resolve CSRF?

Highlighted

Avatar

Avatar

Arun_Patidar

MVP

Total Posts

2.9K

Likes

1.0K

Correct Answer

831

Avatar

Arun_Patidar

MVP

Total Posts

2.9K

Likes

1.0K

Correct Answer

831
Arun_Patidar
MVP

29-08-2018

In above config, you need to add referrer if you are allowing request to your site other than type GET from other domain/host e.g posting form data from other site to your site, otherwise it is ok to keep it blank.

Please check if helps

https://docs.adobe.com/docs/en/aem/6-1/develop/security/csrf-protection.html

More info

Referrer-header configurations:

In order to allow the trusted servers, AEM has a referrer filter that can be configured.
In config manager, we have a configuration called “Apache Sling Referrer Filter“. This has below configs

  • which http methods should be filtered
  • whether an empty referrer header is allowed
  • a white list of servers to be allowed in addition to the server host.

In addition two these two, one can implement Cross origin request sharing by using JSONP calls/ manipulating Access-Control-Allow-Origin in request header.

Until AEM 6.2 the official release allows only authenticated POST calls from the external sources.

AEM 6.3 has introduced Cross-Origin Resource sharing configuration that allows authenticated and unauthenticated client side calls. This has configuration for allowed methods (POST,GET,DELETE.etc.,)

The config manager has a configuration named “Adobe Granite Cross Origin Resource Sharing Policy“. This is explained here

Highlighted

Avatar

Avatar

hardik11071994

Avatar

hardik11071994

hardik11071994

29-08-2018

Hi Arun,

Thank you for your quick response.

So application servers are communicating with webservers , so i need to enter all those http/https entries for webservers in referral  filter right in allow host field?

Highlighted

Avatar

Avatar

Arun_Patidar

MVP

Total Posts

2.9K

Likes

1.0K

Correct Answer

831

Avatar

Arun_Patidar

MVP

Total Posts

2.9K

Likes

1.0K

Correct Answer

831
Arun_Patidar
MVP

29-08-2018

Highlighted

Avatar

Avatar

hardik11071994

Avatar

hardik11071994

hardik11071994

30-08-2018

Hi Arun,

The image is not opening for me , might be due to security reason. Can you paste the screenshot directly here please? Thank you in advance.

Highlighted

Avatar

Avatar

Arun_Patidar

MVP

Total Posts

2.9K

Likes

1.0K

Correct Answer

831

Avatar

Arun_Patidar

MVP

Total Posts

2.9K

Likes

1.0K

Correct Answer

831
Arun_Patidar
MVP

30-08-2018

aem-osgi-referrer-filter-configuration.png

Highlighted

Avatar

Avatar

hardik11071994

Avatar

hardik11071994

hardik11071994

30-08-2018

Hi Arun,

Thank you for help.

So basically in allowed host , do i need to enter only domainname.com?

No need to add the webserver entries in the format : http/https://host:port ?  , with which application servers are communicating ?

Highlighted

Avatar

Avatar

Arun_Patidar

MVP

Total Posts

2.9K

Likes

1.0K

Correct Answer

831

Avatar

Arun_Patidar

MVP

Total Posts

2.9K

Likes

1.0K

Correct Answer

831
Arun_Patidar
MVP

30-08-2018

Hi,

You need to give hostname only(without protocol and port), I think this service uses getRemoteHost(ServletRequest (Servlet API Documentation)  ) method to filter incoming request.