Introduction

Cross-Site Request Forgery (CSRF) is a type of attack that occurs when a malicious website, email, blog, instant message, or program causes a user’s web browser to perform an unwanted action on a trusted site for which the user is authenticated. For example, this attack could transfer funds, change a password, or purchase an item in the user’s context.

CSRF tokens and same origin policy are two different ways to prevent CSRF attacks in ZIETrans. Users can select any of these or both, depending on the requirement.

A CSRF token is a unique, unpredictable secret value generated by a server-side application and sent to the client for inclusion in subsequent HTTP requests issued by the client. Once the token is issued, the server checks if the request from the client contains the expected token. If the token is missing or invalid, the request gets rejected.

The same origin policy will discard the request originating from a URL with no protocol originating from an unauthorized origin/website.

Cross-site Scripting (XSS) is a client-side code injection attack. The attacker aims to execute malicious scripts in the victim’s web browser by including malicious code in a legitimate web page or web application. Users can avoid this attack in ZIETrans by setting a few XSS security parameters in the ZIETrans project.

In this blog, we will understand how we can protect against CSRF and XSS in ZIETrans.

Steps to enable CSRF protection in ZIETrans

  1. Open the ZIETrans toolkit.
  2. Go to Project settings > other tab > Client settings.
  3. Select “Enable same origin policy protection” or “Enable token based protection” based on the requirement.

Figure 1: Enable same origin policy and token based protection

4. Save the changes.

5. Go to the Navigator Tab > Web Content folder > Web-INF folder. Open web.xml file.

Search for description “HatsCSRFValidationFilter”. The “target.origin” and “source.origin” parameter should be updated to your ZIETrans URL as shown below. By default, it will be blank.

<filter>

<description>

This filter will invoke to validate csrf attack </description>

<display-name>HatsCSRFValidationFilter</display-name>

<filter-name>HatsCSRFValidationFilter</filter-name>

<filter-class>

com.ibm.hats.runtime.filters.HatsCSRFValidationFilter

</filter-class>

<async-supported>false</async-supported>

<init-param>

<param-name>source.origin</param-name>

<param-value>https://localhost:9083/ZIETrans/</param-value>

</init-param>

<init-param>

<param-name>target.origin</param-name>

<param-value>https://localhost:9083/ZIETrans/</param-value>

</init-param>

</filter>

We can provide multiple URLs in the param-value as below by just separating the URL by comma:

<param-value>https://localhost:9083/ZIETrans/, https://zietransapp.com/</param-value>

Steps to enable XSS protection in ZIETrans

Open the web.xml file of ZIETrans and update the below parameters from NO to YES. By default, these parameters will be set to NO.

<init-param>

<param-name>Content-Security-Policy</param-name>

<param-value>YES</param-value>

</init-param>

<init-param>

<param-name>X-XSS-Protection</param-name>

<param-value>YES</param-value>

</init-param>

<init-param>

<param-name>X-Content-Type-Options</param-name>

<param-value>YES</param-value>

</init-param>

Comment wrap
Further Reading
article-img
Mainframes | July 22, 2022
Resizable Default Transformation in ZIETrans
Read the blog to know more how the host application can be swiftly transformed into a web application using the ZIETrans Default Transformation capabilities.
article-img
Mainframes | July 8, 2022
Accessing ZIETrans administrative console on Liberty server
Using ZIETrans administrative interface, it is possible to manage connections and perform problem determination for ZIETrans Web applications.
article-img
Mainframes | December 7, 2021
Using ZIETrans EJB
Read the blog for more details about EJB (Enterprise java bean) server-side software that helps to summarize the business logic of a particular application.
Close
Filters result by
Sort:
|