function readOnly(count){ }
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
+ Start a Discussion
kevincckevincc 

CSRF for an app hosted external to salesforce using rest or soap api

 

This question is related to an app hosted externally to salesforce.  The user will access the app through a custom web tab in salesforce.  Based on user actions, the custom app server hosting the app makes calls to salesforce via the REST and SOAP APIs.  The app doesnt store any user state i.e. no sessions.  Instead, the server url, session id and other data are passed (over https of course) from the client to the custom app server when an action is performed.  That means that if an attacker wants to abuse one of the pages of the custom app a valid session id and server url would have to be supplied to perform the action.

 

The communication looks like this:

client browser <--> custom app server <--> salesforce

 

I've been reading http://wiki.developerforce.com/page/Secure_Coding_Cross_Site_Request_Forgery, which  recommends "A secure anti-CSRF mechanism should create a different and unpredictable token for each user session"

 

Measuing the use of session id against the anti-CSRF mechanism critiera mentioned in the article:

 

1) session id is be supplied to perform an action

2) session id is different and unpredictable for each user session

3) session id is different across users

 

 

Does the user's session id act as an anti-CSRF mechanism in this scenario?

 

 

 

JdolphJdolph

The effectiveness would really depend on how the application is put together. In theory this should be an ok mechanism assuming that the actions that use the SOAP endpoint and Session ID(SID) are the only actions the app supports.  This would also assume that each page/action is authenticated using the endpoint and sid. You may run into API limits if there are a lot of calls performed this way, so please be cautious. If there are calls or actions that happen from other parts of the app outside of the authenticated pages those calls/actions would not be protected.  I hope that helps.