locked
Vulnerability to cross-site request forgery (CSRF) on SSRS 2016 RRS feed

  • Question

  • Hi

    I would like to add security to my SSRS 2016. It has a vulnerability to CSRF, it shows vulnerable because it does not validate if the request is coming from the current user. It could be possible to forged request and force some action like download a document.

    Is there any way to configure this to avoid this vulnerability like adding token to the request of making these token unique?

    Thanks in advance,

    Ricardo.

    Tuesday, May 19, 2020 12:33 PM

All replies

  • Hello Ricardo,

    As we know, a CSRF attack simply takes advantage of the fact that the browser sends the Cookie to the web application automatically with each and every request.

    In order to avoid CSRF attack, you can configure the SSRS web portal to pass custom authentication cookies. If you are using a custom authentication extension, you should configure the web portal to transmit custom authentication cookies. To enable additional cookies to be transmitted through HTTP requests when using the web portal, set the following elements in the RSReportServer.config file:

    <UI>  
       <CustomAuthenticationUI>  
          ...  
          <PassThroughCookies>  
             <PassThroughCookie>cookiename1</PassThroughCookie>  
             <PassThroughCookie>cookiename2</PassThroughCookie>  
          </PassThroughCookies>  
       </CustomAuthenticationUI>  
          ...  
    </UI>  

    More details, you can refer to Configure the Web Portal to Pass Custom Authentication Cookies

    And here is a serial of Microsoft documents about SSRS security and protection, I think these will help too.

    Hope it will help

    Best Regards

    Dawn


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.


    Wednesday, May 20, 2020 3:15 AM
  • Hello friend,
    Have you solved the question?
    If you have resolved your issue, please mark the useful reply as answer. This can be beneficial to other community members finding and reading the thread easily. 
    In addition, if you have another questions, please feel free to ask.
    Thanks for your contribution.

    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Thursday, May 21, 2020 9:50 AM
  • Hi MSDN,

    I work with Ricardo. Let me add some background information about this security issue. As I think we are here missing the point.

    First of all we note SSRS issues anti CSRT tokens and it does it very frequently.

    We removed the XSRF tokens yet the application responded and assigned new ones.

    We have generated a CSRF POC request with all tokens and XSRF tokens removed.

    So, we generate a request, then capture it with intercept and generate a CSRF POC. Then, we can make the user to download a report unwillingly.

    Since the unpredictable token is not validated at this stage, SSRS responds by executing a download.

    This is reported due to even the file is downloaded into the user machine, we noted CSRF protection is there but is not validated as in the rest of the SSRS.

    This particularly proves the concept of SSRS being vulnerable to CSRF.

    Even though we execute the request without cookies and tokens, the web browser, sends them (append them to our request due to the inherit behavior, the browser send cookies back if requested).

    Thursday, August 20, 2020 9:07 AM