10

A third party security review is suggesting I need to add CSRF prevention to my javascript remoting calls. I'm not sure what is the best way to proceed. Switching to an apex:form to utilize built in CSRF prevention is not an option for me.

I am aware that the element input#com.salesforce.visualforce.ViewStateCSRF contains an anti-CSRF token, but if I pass it into my remoting calls, what would I have to compare it to server-side?

Would it be insecure if I rolled my own anti-CSRF token by generating a random string in my page's constructor and injecting it into my remoting calls?

Phil Rymek
  • 6,159
  • 1
  • 33
  • 41

2 Answers2

6

Javascript remoting actually contains system-managed CSRF protection built in. If you actually inspect the data going over the wire for a remoting call you see a "ctx" is passed that contains information like the Id of the visualforce page you're on and a csrf token. The server automatically validates these and remoting calls with invalid tokens are rejected.

I just tested this by corrupting the csrf token on an otherwise valid remoting call and response from the server was:

[
  {
    "type": "exception",
    "tid": 7,
    "ref": false,
    "action": "MyController",
    "method": "doStuff",
    "message": "Remoting request invalid for your session.  Refresh page and re-submit request",
    "where": "",
    "data": [
      "a0pd0000002gHjlAAE"
    ],
    "vfTx": true,
    "vfDbg": true
  }
]

With that said I don't think there's anything further you need to do in order to have csrf protection.

ca_peterson
  • 22,983
  • 7
  • 69
  • 123
  • Unfortunately I have figured out how to reproduce the exploit and can successfully perform CSRF attacks against remote actions but i'm not sure it would be correct for me to post the exploit here. Having said that, as you pointed out there is CSRF protection in place it just seems to be bugged so I will log a case with salesforce. – Phil Rymek May 13 '13 at 22:33
  • 2
    Do that, and then email the case number to security@salesforce.com. Their security guys are hardcore and will jump on any serious threats. – ca_peterson May 14 '13 at 02:59
  • Strangely I'm encountering this error in my JS Remoting calls, but I'm not even modifying the cix token. Full code details are here - http://salesforce.stackexchange.com/questions/45819/why-am-i-receiving-this-error-cannot-read-property-tid-of-undefined-when-usi ... – VarunC Aug 02 '14 at 17:25
4

I logged a case for this as I was able to perform CSRF hacks against methods annotated with @RemoteAction and the response is:

This is not enabled by default. You have to contact salesforce to get CSRF protection for Remote Actions turned on.

Phil Rymek
  • 6,159
  • 1
  • 33
  • 41
  • 6
    Summer 13 release notes : There are new settings for protection against Cross Site Request Forgery (CSRF) attacks with GET and POST requests. When set, a random string is included as a hidden form in each page or as URL parameters. Then with each request, the application checks the string for validity and doesn’t execute the command if the check fails. From Setup, click Security Controls > Session Settings to select Enable CSRF protection on GET/POST requests on non-setup pages. – Doug B May 15 '13 at 22:04