Usage Note 68162: Preventing Cross-Site Request Forgery (CSRF) attacks for SAS® Comments Manager and other shared applications
This note contains special instructions for SAS Comment Manager regarding Cross-Site Request Forgery (CSRF) token checking.
CSRF is a type of attack on web applications whereby a malicious actor causes information to be submitted to a vulnerable application on behalf of a user. This issue typically occurs when you log on to a vulnerable application. Then, you are deceived into clicking a link or submitting a form from a malicious actor that causes information to be sent to the vulnerable application. The information appears to come as a valid request from the end user.
See the OWASP Cross Site Request Forgery (CSRF) page for more information about how CSRF attacks work.
You can configure SAS Comments Manager to prevent this type of attack by enforcing synchronizer token checking in SAS® Management Console.
To enable CSRF token checking:
- Log on to SAS Management Console.
- On the Plug-ins tab, select Application Management ► Configuration Manager ► SAS Application Infrastructure.
- Right-click Shared Applications 9.4 and select Properties.
- Click the Advanced tab.
- Add the following properties.
- sas.web.csrf.token.performCheck=true
- sas.web.csrf.token.allowedMethods=GET,HEAD,TRACE,OPTIONS
- Click OK to close the SAS Application Infrastructure Properties window.
- Stop the middle tier, using the method that is appropriate for your operating system:
- Microsoft Windows operating environments:
Using the Services Snap-in, right-click on each of the SAS services in the list (in the order in which they are listed), and click Stop:
- SAS Environment Manager agent
- SAS Environment Manager
- SAS Web Application Server: SASServer2_1
- SAS Web Application Server: SASServer12_1
- SAS Web Application Server: SASServer1_1
- SAS Web Server
- SAS Cache Locator Service: ins_41415
- SAS JMS Broker
Note: The list of services that you see, and need to stop, depends on which managed web application servers are installed in your environment.
- UNIX operating environments:
Run SAS-configuration-directory/sas.servers stop.
- Start the middle tier using the method that is appropriate for your operating system:
- Windows operating environments:
Using the Services Snap-in, right-click on each of the SAS services in the list (In the order in which they are listed), and click Start:
- SAS Environment Manager Agent
- SAS Environment Manager
- SAS Web App Server: SASServer2_1
- SAS Web App Server: SASServer12_1
- SAS Web App Server: SASServer1_1
- SAS Web Server
- SAS Cache Locator Service: ins_41415
- SAS JMS Broker
Note: The list of services that you see, and need to stop, depends on which managed web application servers are installed in your environment.
- UNIX:
Run SAS-configuration-directory/sas.servers start.
Operating System and Release Information
SAS System | SAS Web Infrastructure Platform | Microsoft® Windows® for x64 | 9.4_M3 | 9.4_M8 | 9.4 TS1M3 | 9.4 TS1M8 |
64-bit Enabled AIX | 9.4_M3 | 9.4_M8 | 9.4 TS1M3 | 9.4 TS1M8 |
64-bit Enabled Solaris | 9.4_M3 | 9.4_M8 | 9.4 TS1M3 | 9.4 TS1M8 |
HP-UX IPF | 9.4_M3 | 9.4_M8 | 9.4 TS1M3 | 9.4 TS1M8 |
Linux for x64 | 9.4_M3 | 9.4_M8 | 9.4 TS1M3 | 9.4 TS1M8 |
Solaris for x64 | 9.4_M3 | 9.4_M8 | 9.4 TS1M3 | 9.4 TS1M8 |
*
For software releases that are not yet generally available, the Fixed
Release is the software release in which the problem is planned to be
fixed.
Cross-Site Request Forgery (CSRF) is a type of attack on web applications whereby a malicious actor causes information to be submitted to a vulnerable application on behalf of a user. This SAS Note describes the steps that you need to take to prevent such an attack.
Type: | Usage Note |
Priority: | medium |
Date Modified: | 2021-08-03 07:38:48 |
Date Created: | 2021-07-19 12:43:23 |