Cross-Site Request Forgery Prevention
Support for cross-site request forgery (CSRF) prevention was added in PTC FlexPLM 11.0 M030 for the majority of data-altering actions.
The solution implemented by PTC FlexPLM is to generate a unique token for each user when their session is established. This unique token is called a nonce and is cached in the user session. Each time a data altering URL is generated by the server for this session, the server includes the nonce in a hidden form field named CSRF_NONCE. When the user submits the form for the action, this hidden field is sent back to the server which can then compare the nonce in the request with the nonce in the session. If the nonce is missing or does not match, then the request is rejected with the following error: A potential security problem was detected. Refresh the page and try again. If the problem persists, contact your administrator. The events detected as potential CSRF attacks are also recorded in the audit logs.
Cross-site request forgery (CSRF) attacks can be prevented by ensuring that any request to perform an action that either creates, updates, or deletes data in the application can only have come from a valid user clicking a valid link generated from within the application, and not from a URL crafted by a third party and submitted unwittingly by the user.
The various CSRF prevention techniques include:
• The use of a unique token
• The use of a challenge-response scheme, such as CAPTCHAs
• Checking the HTTP Referrer Header
• Checking the HTTP Origin Header
• Establishing and using best practices when accessing the application
To protect an action from CSRF attacks, do the following:
• When an action is generated, clients must use appendNonce in csrf.js.
• All requests need to go through Main.jsp or the standard flow of forwards and includes so that proper verifications are performed. For example, if a jsp is performing a forward that is not MainTemplate.jsp, Chooser.jsp, or Main.jsp and it is forwarding to a page other than MAINTEMPLATE, then it needs to be updated to go through MAINTEMPLATE correctly.