Prevent Users From Accepting Warning To Bypass CSRF Validation [Updated in Security Center 1.3 and 1.5]

  • Release version: Xanadu
  • Updated February 1, 2024
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Prevent Users From Accepting Warning To Bypass CSRF Validation

    This feature enhances security in ServiceNow instances by enforcing strict Cross-Site Request Forgery (CSRF) token validation. It prevents users from bypassing warnings that normally allow resubmission of potentially malicious POST requests with mismatched CSRF tokens. The relevant system propertyglide.security.csrf.strict.validation.modecontrols this behavior.

    Show full answer Show less

    Key Features

    • Strict CSRF Token Validation: When glide.security.csrf.strict.validation.mode is set to true (the recommended and default setting), the instance blocks resubmission of POST requests if the CSRF token does not match the current session token.
    • Prevention of Bypass: Without strict mode enabled, users can click a "Continue" button on a warning page (securityinterceptor.do) to resend a request with a valid token tied to another active session, which can be exploited by attackers.
    • Protection Against CSRF Attacks: This setting mitigates the risk of attackers performing unauthorized operations by leveraging leaked anti-CSRF tokens from other active sessions of the same user.

    Practical Impact for ServiceNow Customers

    • Enabling strict CSRF validation strengthens instance security by ensuring that POST requests are only accepted if the CSRF token matches the user’s current session.
    • This reduces the risk of successful CSRF attacks, which can compromise instance data integrity and allow attackers to perform actions on behalf of users.
    • Enforcement occurs transparently to users, preventing re-submission of unsafe requests without additional user action or warnings that might be bypassed.

    Configuration Details

    • Property Name: glide.security.csrf.strict.validation.mode
    • Data Type: Boolean
    • Recommended and Default Value: true
    • Configuration Location: System Properties (/syspropertieslist.do)
    • Purpose: Enforce strict validation and prevent reuse of CSRF tokens tied to other sessions.

    Security Considerations

    Cross-Site Request Forgery is a medium-risk security threat that can compromise instance data integrity by tricking users into submitting malicious requests. Enabling strict CSRF validation minimizes this threat by blocking reuse of tokens from other sessions and disallowing potentially harmful request resubmissions.

    Use the glide.security.csrf.strict.validation.mode property to enable CSRF token strict validation. If the CSRF token doesn't match, it prevents resubmission of the request.

    This property prevents users from being able to accept a warning which allows a potentially malicious request to be sent to the instance. This warning appears when a POST request fails due to having a mis-matched anti-CSRF token belonging to one of the victim's other active sessions. If glide.security.csrf.strict.validation.mode is not set to the recommended value of true, then an attacker can formulate a CSRF attack utilizing a leaked anti-CSRF token from a different active session belonging to the victim. A POST request to an instance contains an anti-CSRF token within "sysparm_ck" or "X-UserToken" which matches the user's current session.

    If the anti-CSRF token is instead tied to one of the user's other active sessions, the POST request will return a 302 redirection to security_interceptor.do with a Continue button available to the user when this property is set to false. Clicking this button will re-submit the request to the instance, except it will now having a valid anti-CSRF token. When this property is set to true, the 302 redirection to the security_interceptor.do page will not display a Continue button and the user will not be allowed to resubmit the request.A successful CSRF attack will allow an attacker to effectively perform any operation that the victim is able to perform.

    More information

    Attribute Description
    Property name glide.security.csrf.strict.validation.mode
    Configuration type System Properties (/sys_properties_list.do)
    Category Access control
    Purpose To enforce strict validation of CSRF token, and prevents its reuse.
    Data type boolean
    Recommended value true
    Default value true
    Security risk rating (Medium) Cross site Request Forgery is a significant security risk that violates the integrity of the instance data. An attacker can launch the CSRF attack on any instance user by abusing the trust of the instance user. With the help of social engineering attacks, a user can submit a malformed request to the instance on behalf of the attacker.
    Security risk rating 3.7
    Functional impact This remediation enables an extra validation step before the instance user submits a write request to the instance. It checks whether the current CSRF token has been used previously. If Yes, it prevents submission of further write requests.
    Security risk (Medium) Cross site Request Forgery is a significant security risk that violates the integrity of the instance data. An attacker can launch the CSRF attack on any instance user by abusing the trust of the instance user. With the help of social engineering attacks, a user can submit a malformed request to the instance on behalf of the attacker.

    Return to Configure and upload your customer supplied key to upload your wrapped key.