×
 
 
  •  
$helper.renderConfluenceMacro('{bmc-global-announcement:$space.key}')

 

This documentation supports the 20.02 version of BMC Helix Platform.

To view the documentation for the current version, select 20.08 from the Product version menu.
BMC Helix Platform 20.02 FAQs

Protection against CSRF attack vulnerability

BMC Helix Platform includes a protective measure against cross-Site request forgery (CSRF) attacks. To address the CSRF security risk, BMC Helix Platform uses custom request header for every REST API request in the BMC Helix Platform Software Development Kit (SDK).

What happens in a CSRF attack?

In a CSRF attack, users are forced to execute unwanted actions on a web application in which they are currently authenticated. 

If the victim holds a regular user account, a CSRF attack can force the user to perform state-changing requests, such as transfer funds, and change the email address. If the victim holds an administrative account, the attack can compromise the entire web application. For more information, see Cross-Site Request Forgery (CSRF) at the  OWASP Open link  website.

To protect against this vulnerability, BMC Helix Platform has an HTTP header for every cross-origin request. 

How does BMC Helix Platform handle a CSRF attack?

BMC Helix Platform has used a custom request header for every REST API call in the BMC Helix Platform Software Development Kit (SDK). This defense relies on the Same-Origin Policy (SOP) restriction that only JavaScript can be used to add a custom header, and only within its origin. By default, web browsers don't allow JavaScript to make cross-origin requests.

The following custom header is added to BMC Helix Platform SDK:

X-Requested-With: XMLHttpRequest

If you are initiating your own HTTP requests, you can add the X-Requested-With header by specifying the following values:

``` myAppModule.config(['$httpProvider', function($httpProvider) { $httpProvider.defaults.headers.common["X-Requested-With"] = 'XMLHttpRequest'; }]); ```

For more information, see Setting up your IDE and installing BMC Helix Platform SDK.

If the header is not found, a Response.Status.BAD_REQUEST response is returned to the client.

If you use a generic HTTP request client in your development and testing, ensure that the custom request header is included with every request; otherwise, you will get a BAD_REQUEST response.

Was this page helpful? Yes No Submitting... Thank you
Last modified by Rahul Shukla on Feb 20, 2020
csrf vulnerability csrf_attack http_header x-requested-with web_application externallink thirdpartylink

Comments

Log in or register to comment.

Types of expressions in expression editor
Related spaces
© Copyright 2016 - 2020 BMC Software, Inc.
Legal notices

Powered by Atlassian Confluence and Scroll Viewport

© Copyright 2005-2024 BMC Software, Inc. Use of this site signifies your acceptance of BMC’s Terms of Use . BMC, the BMC logo, and other BMC marks are assets of BMC Software, Inc. These trademarks are registered and may be registered in the U.S. and in other countries.