This article is based on the ServiceNow support article. See the original article on the ServiceNow support site: ServiceNow HI: Anti-CSRF Token.
Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated. CSRF attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request.
This property will ensure the use of a secure token to identify and validate incoming requests which in turn is used to prevent these attacks.
Following properties can be enabled for added controls over CSRF token.
- glide.security.csrf_previous.time_limit
- glide.security.csrf_previous.allow
- glide.security.csrf.strict.validation.mode
| Anti-CSRF Token | |
|---|---|
| Property Name | glide.security.use_csrf_token |
| Configuration Type | System Properties (/sys_properties_list.do) |
| Purpose | To protect the application from potential CSRF attack. |
| Requirement | Mandatory |
| Recommended Value | True |
| Default Behavior | Set to true. |
| Revertible behavior | N/A |
| Role required | Security_admin |
| Release Version | Spring 2010 |
| Functional Impact | Low- This remediation enables an extra validation step before the instance user submits a write request to the instance. Every write request contains a CSRF token (i.e a validation/CSRF ID tied to the user session). When the user session expires, the secure token expires with it. |
| Security Risk | (High) Cross site Request Forgery is a significant security risk that violates the integrity of the instance data. An attacker can launch the CSRF attack on any instance user by abusing the application’s trust on the instance user. With the help of social engineering attacks, a user can submit a malformed request on behalf of the attacker on the instance. |
| Workaround | No alternate method available. |
| References | https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#Synchronizer_.28CSRF.29_Tokens |
How to configure #
- Navigate to /sys_properties_list.do
- Search for the property.
- Assign the recommended value as shown in the screenshot > Click Update.
