What is CSRF? How is CSRF Protection enabled in AEM?

 What is CSRF?

Cross-site request forgery (CSRF) is a web vulnerability that lets a malicious hacker trick the victim into submitting a request that allows the attacker to perform state-changing actions on behalf of the victim.

1. The victim is authenticated in the target web application (e.g., www.example.com).
2. The attacker uses social engineering to trick the victim into visiting a malicious website (e.g.,checkthiscoupen.com).
3. The malicious web page includes code that causes the victim’s browser to send an implicit request to the target (www.example.com).
4. The malicious request causes the target to perform state change actions that the user did not intend.

Protecting against CSRF requires two things: ensuring that HTTP Methods are used appropriately, e.g., GET requests are not performing state-changing operations, and ensuring that non-GET requests can only be originated from your client-side code.

A CSRF token is a unique, secret, and unpredictable value generated by the server-side application and shared with the client. When requesting a sensitive action, such as submitting a form, the client must include the correct CSRF token. The CSRF token helps to ensure that the state change requests originated from the actual website, not from a malicious website, and helps to protect the websites from CSRF attacks.

How CSRF Protection Enabled in AEM?

AEM uses CSRF tokens to protect the websites from CSRF attacks — malicious users performing state-changing operations on behalf of authenticated users.

Valid Scenario:

The Authenticated Users send a state change request to the server; the client-side script (Granite jQuery or Granite CSRF standalone library) requests the CSRF token through CSRF Servlet — /libs/granite/csrf/token.json (For forms server embed the CSRF Token in the form while sending the form HTML to the client) and embed the token to the request. The CSRF filter validates the incoming CSRF token and allows the request if the token is valid — in this case, the token should be valid so the request will be processed.

Malicious Attack:

Authenticated user (authenticated to target website www.example.com) clicks on a malicious website link(checkthiscoupen.com) that sends the request to the original website(www.example.com) with the malicious data but without the valid CSRF token.

The CSRF Filter rejects the request due to missing a valid CSRF token in the request, and the attacker cannot perform any state change operations.

Granite jQuery or Granite CSRF standalone library:

Any component that relies on the granite.jquery client library dependency will benefit from the CSRF Protection Framework automatically. In case of granite jquery can't be used due to any restrictions, you can use granite.csrf.standalone client library to enable CSRF protection.

Include granite.jquery or granite.csrf.standalone to enable the CSRF protection for AEM websites.

The granite.jquery or granite.csrf.standalone client library invokes the CSRF token endpoint and embeds the CSRF token as part of every State change call.

For the forms, the tokens are generated when the form is sent to the client and validated when the form is sent back to the server. The token is added as a request parameter — :cq_csrf_token; for Ajax calls, the token is added as a request header — CSRF-Token

CSRF Token Servlet:

Invoking the token servlet — /libs/granite/csrf/token.json returns the CSRF token for the authenticated users; this means the CSRF protection will be enabled only for authenticated users and not for anonymous users — invoking the token endpoint for the anonymous user returns the blank result.

The validity of the token can be controlled through the “Adobe Granite CSRF Servlet” OSGI configuration — the default validity of the token is 600 sec.

CSRF Filter:

AEM enabled with a global Filter that will be invoked for every request, forwards, and includes that accept/reject the request based on the validity of the CSRF token in the request and other configurations.

The “Adobe Granite CSRF Filter” OSGI configuration can be modified to control the filtering criteria:
Add the methods that the filter should validate.
Enable User Agent validation and Configure Safe User Agents.
Enable the paths that should be skipped from filtering.

HMAC Key Sync:

You must replicate the HMAC binary to all server instances in a specific environment to use the tokens. Refer to The CSRF Protection Framework | Adobe Experience Manager for more information.

Dispatcher Configuration:

Minimal Dispatcher configurations are required to support the CSRF Protection Framework (allow CSRF-Token header; allow token endpoint and block the dispatcher from caching the token.json). For more information, refer to Configuring Dispatcher to Prevent CSRF Attacks | Adobe Experience Manager.

Conclusion:

The CSRF Protection Framework helps us to protect our websites from Cross-Site Request Forgery (CSRF) attacks. Ensure the CSRF Protection Framework is rightly configured to mitigate CSRF attacks.

The CSRF is meant to protect authenticated sessions; the server provides a CSRF token to the client for all authenticated sessions, and the client should pass the same CSRF token to the server with each subsequent request. If a request comes without the token, the server should ignore/log it.

Responsive Layouts not working for the nested containers - Adobe Experience Manager(AEM)

The responsive layout resizing was not working for the nested 3rd-level containers in the Editable template.

The responsive layout containers with Editable templates help the authors to manage the page layouts through drag-and-drop resizing. But it looks to be the resizing is not working when nested more than two levels - the resizing stopped working in the 3rd level.

The actual issue is the responsive configurations (cq:responsive node) are not inherited to the 3rd level.

Added a container (container1) 

•   Container(container1) is aligned to a specific column, e.g., 8.
•   Added a child container 2 to the container 1.
•   Added a child container 3 to container 2.
•   Made container 3 a responsive grid.
•   Added a text component to container 3.
•   Layouting not working for the text component.

Workaround: Resize container 3 to a different column size and return to the original column size — this will add the cq:responsive node to container 3 and allow the layout for the text component.

npm ERR! code ENOENT - npm WARN checkPermissions Missing write access

I received the exception below while installing the magnolia CLI npm package from the checked-out code repository(https://github.com/robertkowalski/magnolia-cli.git).

npm install -g

npm WARN checkPermissions Missing write access to xxxx\Magnolia\magnolia-cli\node_modules\bluebird
npm WARN checkPermissions Missing write access to xxxx\Magnolia\magnolia-cli\node_modules\command-exists
npm WARN checkPermissions Missing write access to xxxx\Magnolia\magnolia-cli\node_modules\commander
npm WARN checkPermissions Missing write access to xxxx\Magnolia\magnolia-cli\node_modules\diff
npm WARN checkPermissions Missing write access to xxxx\Magnolia\magnolia-cli\node_modules\fs-extra
npm WARN checkPermissions Missing write access to xxxx\Magnolia\magnolia-cli\node_modules\findup-sync
npm WARN checkPermissions Missing write access to xxxxt\Magnolia\magnolia-cli\node_modules\i18next
npm WARN checkPermissions Missing write access to xxxx\Magnolia\magnolia-cli\node_modules\i18next-sync-fs-backend
npm WARN checkPermissions Missing write access to xxxxt\Magnolia\magnolia-cli\node_modules\npm-registry-client
npm WARN checkPermissions Missing write access to xxxx\Magnolia\magnolia-cli\node_modules\inquirer
npm WARN checkPermissions Missing write access to xxxxt\Magnolia\magnolia-cli\node_modules\osenv
npm WARN checkPermissions Missing write access to xxxxt\Magnolia\magnolia-cli\node_modules\progress
npm WARN checkPermissions Missing write access to xxxx\Magnolia\magnolia-cli\node_modules\tar
npm WARN checkPermissions Missing write access to xxxx\Magnolia\magnolia-cli\node_modules\yaml-js
npm WARN checkPermissions Missing write access toxxxx\Magnolia\magnolia-cli\node_modules
npm WARN checkPermissions Missing write access to xxxx\Magnolia\magnolia-cli\node_modules\@magnolia
npm ERR! code ENOENT
npm ERR! syscall access
npm ERR! path xxxx\Magnolia\magnolia-cli\node_modules\ansi-escapes
npm ERR! errno -4058
npm ERR! enoent ENOENT: no such file or directory, access 'xxxx\Magnolia\magnolia-cli\node_modules\ansi-escapes'
npm ERR! enoent This is related to npm not being able to find a file.
npm ERR! enoent

npm ERR! A complete log of this run can be found in:
npm ERR!     C:\Users\xxx\AppData\Roaming\npm-cache\_logs\2023-02-13T18_36_08_935Z-debug.log

This error was due to the magnolia CLI already installed globally through "npm install  @magnolia/cli -g".

Use "npm list @magnolia/cli -g" command to view the existing package; uninstall the existing package through "npm uninstall @magnolia/cli"

Now the local installation(npm install -g) from the checked-out code will be a success.

Selective Proxying to debug live website issues.

I was recently working on debugging a live website issue; it was only reproducible on the live website, and it was challenging to debug the issue with the live site. Based on my research, I identified selective proxying — modifying the response for the selected URLs and passing the rest of the traffic to the live URL- helping debug live website issues quickly. I want to share some possible tools and configurations that can be used to debug live website issues through selective proxying.

The actual issue was the JavaScript embedded into the HTML page was not working as expected; to debug the problems, the script in the HTML should be modified. Finally, I used the Fiddler Autoresponder to serve only the specific HTML from the Local File and the remaining URLs through live websites. This helps me modify the embed script, identify the root of the problem, and address it.

Fiddler Autoresponder:

The Auto Responder feature in Fiddler Everywhere allows you to create “Rules” triggered when a particular request is issued. Fiddler’s Autoresponder will enable you to return files from your local disk instead of transmitting the request to the server.

The Fiddler can be downloaded from Download Fiddler Web Debugging Tool for Free by Telerik.

Select Autoresponder from Fiddler UI and click Add Rule.

Add the string to match — the URL that should be responded to with local file content.

Select Find File and locate the local File — in my case, I will replace the response for one the HTML — copy the actual HTML response through the view page source in the live URL, store it in the local File, and modify the content as required.

Save and Enable the Rule

Enable the “Decrypt HTTPS Traffic” option if you are debugging HTTPs websites.

Tools → Options → HTTPS

I am selecting No for the root certificate; if the root certificate is not accepted, you will receive an untrusted SSL certificate error while accessing the website — the root certificate can be trusted later if required.

I am enabling the Decrypt only for the browsers.

Click Ok and access the website(page); the specific page will be rendered from a local file — I have enabled a quick alert on the local File.

Now the specific HTML file is loaded locally; all remaining requests are responded to from the live server— including the relative links inside the HTML page loaded from locally.

The SSL certificate error may block some of the externally linked resources from loading; if you want, you can trust the Fiddler root certificate (keep security in mind)

Go to Tools → Option → HTTPS, Click on Actions → Trust Root Certificate.

Follow the screens and Trust the certificate; now, the SSL error will be removed.

You can remove the root certificate if required through Tools →Options → HTTPS →Actions →Reset All Certificates.

The Fiddler is enabled system-wide to capture all the traffic; you can modify the configurations to capture only the specific traffic. Also, you can pause the capturing by unselecting the File →Capture Traffic configuration.

Requestly:

Another option is using the Requestly Desktop app to proxy the response; the Requestly Desktop app can be downloaded from Desktop App to Intercept & Modify HTTP Requests | Requestly

First, open the browser profile (recommend new profile) through the connected app.

Now enable an HTTP Rule.

Select Modify Response Rule

Add the URL for the response that should be replaced — refer to the previous option for replacing HTML with local content.

Place the updated content (in my case, HTML) in the response body.

Provide a Rule name and Save the Rule (Ctrl+S)

Now test the page through the browser session opened by Requestly. For the matching page, the response body is replaced by content specified in the Rule, and the remaining links are directed to the live server.

The Requestly is simple to configure and restricted to a specific browser session, but the Fiddler will give more functionalities like traffic monitoring, SSL support, etc. You can even use other proxies like Charles proxy etc.; consider the security before using any tools for proxying the requests- use the proxies only when you need some debugging.