CSRF Vulnerability

Yellowfin FAQ shared this problem 2 years ago
Resolved

My security team has stated there's a Cross Site Request Forgery vulnerability in Yellowfin!

Also see our post on the CSRF Referer Validation here.

Best Answer
photo

This can be mitigated by enabling our CSRF Filter in Yellowfin.

To implement this in Yellowfin, simply edit your <YellowfinInstall>/appserver/webapps/ROOT/WEB-INF/web.xml file and add the following code within the webapp block.


<filter>
    <filter-name>CSRFFilter</filter-name>
    <filter-class>com.hof.servlet.CSRFFilter</filter-class>
    <init-param>
      <param-name>AllowedEntry</param-name>
      <param-value>/info.jsp, /info_threads.jsp</param-value>
    </init-param>
    <init-param>
      <param-name>Ignore</param-name>
      <param-value>/info.jsp, /info_threads.jsp</param-value>
    </init-param>
  </filter>
  <filter-mapping>
    <filter-name>CSRFFilter</filter-name>
    <url-pattern>*.i4</url-pattern>
  </filter-mapping>
  <filter-mapping>
    <filter-name>CSRFFilter</filter-name>
    <url-pattern>*.jsp</url-pattern>
  </filter-mapping>
This uses a session based token, or nounce, that is appended to requests. If a request to the server doesn't match this nonce, the request is denied.

Comments (1)

photo
1

This can be mitigated by enabling our CSRF Filter in Yellowfin.

To implement this in Yellowfin, simply edit your <YellowfinInstall>/appserver/webapps/ROOT/WEB-INF/web.xml file and add the following code within the webapp block.


<filter>
    <filter-name>CSRFFilter</filter-name>
    <filter-class>com.hof.servlet.CSRFFilter</filter-class>
    <init-param>
      <param-name>AllowedEntry</param-name>
      <param-value>/info.jsp, /info_threads.jsp</param-value>
    </init-param>
    <init-param>
      <param-name>Ignore</param-name>
      <param-value>/info.jsp, /info_threads.jsp</param-value>
    </init-param>
  </filter>
  <filter-mapping>
    <filter-name>CSRFFilter</filter-name>
    <url-pattern>*.i4</url-pattern>
  </filter-mapping>
  <filter-mapping>
    <filter-name>CSRFFilter</filter-name>
    <url-pattern>*.jsp</url-pattern>
  </filter-mapping>
This uses a session based token, or nounce, that is appended to requests. If a request to the server doesn't match this nonce, the request is denied.