CSRF Vulnerability

Yellowfin FAQ shared this problem 20 months ago
Resolved

My security team has stated there's a Cross Site Request Forgery vulnerability in Yellowfin!

Best Answer
photo

This can be mitigated by enabling our CSRF Filter in Yellowfin.

To implement this in Yellowfin, simply edit your <YellowfinInstall>/appserver/webapps/ROOT/WEB-INF/web.xml file and add the following code within the webapp block.


<filter>
    <filter-name>CSRFFilter</filter-name>
    <filter-class>com.hof.servlet.CSRFFilter</filter-class>
    <init-param>
      <param-name>AllowedEntry</param-name>
      <param-value>/info.jsp, /info_threads.jsp</param-value>
    </init-param>
    <init-param>
      <param-name>Ignore</param-name>
      <param-value>/info.jsp, /info_threads.jsp</param-value>
    </init-param>
  </filter>
  <filter-mapping>
    <filter-name>CSRFFilter</filter-name>
    <url-pattern>*.i4</url-pattern>
  </filter-mapping>
  <filter-mapping>
    <filter-name>CSRFFilter</filter-name>
    <url-pattern>*.jsp</url-pattern>
  </filter-mapping>
This uses a session based token, or nounce, that is appended to requests. If a request to the server doesn't match this nonce, the request is denied.

Comments (1)

photo
1

This can be mitigated by enabling our CSRF Filter in Yellowfin.

To implement this in Yellowfin, simply edit your <YellowfinInstall>/appserver/webapps/ROOT/WEB-INF/web.xml file and add the following code within the webapp block.


<filter>
    <filter-name>CSRFFilter</filter-name>
    <filter-class>com.hof.servlet.CSRFFilter</filter-class>
    <init-param>
      <param-name>AllowedEntry</param-name>
      <param-value>/info.jsp, /info_threads.jsp</param-value>
    </init-param>
    <init-param>
      <param-name>Ignore</param-name>
      <param-value>/info.jsp, /info_threads.jsp</param-value>
    </init-param>
  </filter>
  <filter-mapping>
    <filter-name>CSRFFilter</filter-name>
    <url-pattern>*.i4</url-pattern>
  </filter-mapping>
  <filter-mapping>
    <filter-name>CSRFFilter</filter-name>
    <url-pattern>*.jsp</url-pattern>
  </filter-mapping>
This uses a session based token, or nounce, that is appended to requests. If a request to the server doesn't match this nonce, the request is denied.