Apex Code Development You need to sign in to do that
Don't have an account?
Tirumala Kuppani 10 Cross-Site Request Forgery (CSRF) Protection issue for Rest api class
Hello,
we wrote rest API class for forgot password(from iOS application to salesforce). The code sent to testing team for Vulnerability test.
iOS sent forgot request to sfdc--> salesforce validate valid user --> sent random number to another server--> reset the password
They replied result as "CSRF protection" issue.
I have checked session settings in my developer org. It has default enabled checkboxes(Cross-Site Request Forgery (CSRF) Protection)
security controls--->session settings
Enable CSRF protection on GET requests on non-setup pages
Enable CSRF protection on POST requests on non-setup pages
please find below API code
@RestResource(urlMapping='/Forgotpassword/*') global with sharing class Forgotpassword{ //@future(callout=true) @httppost global static void forgetPWD(String email){ List<User_details__c> userDetails = [select id,First_name__c,Middle_name__c,Last_name__c,password__c, Email__c from User_details__c where Email__c =:email]; string mail; string names; string password; Integer len=10; final String chars='012345adfc'; String randStr=''; while(randStr.length()<len) { Integer idx=Math.mod(Math.abs(Crypto.getRandomInteger()),chars.length()); randStr +=chars.substring(idx, idx+1); } //return randStr; if(userDetails.size()>0){ for(User_details__c user:userDetails) { mail=user.Email__c; names=user.First_name__c; password=randStr; } //sendresponse=mail; Status__c st =new Status__c(); st.message__c = 'User is available'; st.code__c = 0; st.userId__c = userDetails[0].id ; system.debug('st'+st); insert st; //return st; } else { Status__c st =new Status__c(); st.message__c = 'User not available'; st.code__c = 0; st.userId__c =null; system.debug('st'+st); insert st; //return st; } system.debug('email '+mail); system.debug('name '+names); system.debug('message '+password); callback1(mail,names,password); } @future(callout=true) global static void callback1(String mail,String names,String password){ httprequest req=new httprequest(); JSONGenerator gen = JSON.createGenerator(true); gen.writeStartObject(); gen.writestringField('email', mail); gen.writestringField('name', names); gen.writestringField('message', password); gen.writeEndObject(); String postjson=gen.getAsString(); system.debug('Gen'+postjson); req.setendpoint('http://52.72.252.80:8080/ResetPassword/Forgotpassword'); req.setHeader('Content-Type','application/json'); req.setBody(postjson); req.setmethod('POST'); system.debug('req '+req); http ht=new http(); httpresponse res=ht.send(req); system.debug('res'+res);} }
Kindly let us know how to resolve CSRF issue.
Any help will be appreciated.
Regards
Tirumala K
we wrote rest API class for forgot password(from iOS application to salesforce). The code sent to testing team for Vulnerability test.
iOS sent forgot request to sfdc--> salesforce validate valid user --> sent random number to another server--> reset the password
They replied result as "CSRF protection" issue.
I have checked session settings in my developer org. It has default enabled checkboxes(Cross-Site Request Forgery (CSRF) Protection)
security controls--->session settings
Enable CSRF protection on GET requests on non-setup pages
Enable CSRF protection on POST requests on non-setup pages
please find below API code
@RestResource(urlMapping='/Forgotpassword/*') global with sharing class Forgotpassword{ //@future(callout=true) @httppost global static void forgetPWD(String email){ List<User_details__c> userDetails = [select id,First_name__c,Middle_name__c,Last_name__c,password__c, Email__c from User_details__c where Email__c =:email]; string mail; string names; string password; Integer len=10; final String chars='012345adfc'; String randStr=''; while(randStr.length()<len) { Integer idx=Math.mod(Math.abs(Crypto.getRandomInteger()),chars.length()); randStr +=chars.substring(idx, idx+1); } //return randStr; if(userDetails.size()>0){ for(User_details__c user:userDetails) { mail=user.Email__c; names=user.First_name__c; password=randStr; } //sendresponse=mail; Status__c st =new Status__c(); st.message__c = 'User is available'; st.code__c = 0; st.userId__c = userDetails[0].id ; system.debug('st'+st); insert st; //return st; } else { Status__c st =new Status__c(); st.message__c = 'User not available'; st.code__c = 0; st.userId__c =null; system.debug('st'+st); insert st; //return st; } system.debug('email '+mail); system.debug('name '+names); system.debug('message '+password); callback1(mail,names,password); } @future(callout=true) global static void callback1(String mail,String names,String password){ httprequest req=new httprequest(); JSONGenerator gen = JSON.createGenerator(true); gen.writeStartObject(); gen.writestringField('email', mail); gen.writestringField('name', names); gen.writestringField('message', password); gen.writeEndObject(); String postjson=gen.getAsString(); system.debug('Gen'+postjson); req.setendpoint('http://52.72.252.80:8080/ResetPassword/Forgotpassword'); req.setHeader('Content-Type','application/json'); req.setBody(postjson); req.setmethod('POST'); system.debug('req '+req); http ht=new http(); httpresponse res=ht.send(req); system.debug('res'+res);} }
Kindly let us know how to resolve CSRF issue.
Any help will be appreciated.
Regards
Tirumala K
Have you got any solutions for this please?