What is a CSRF token?

CSRF or Cross-Site Request Forgery is a type of attack that occurs when a malicious web site or any program causes a user’s web browser to perform an unwanted action on a trusted site for which the user is currently authenticated.

Enabling the website or program to require CSRF tokens to invoke it, is one of the ways of preventing this attack.

How it works

Services which are hosted on SAP Gateway require CSRF token validation. In this example, we’ve used a gateway URL for testing.

1. 
   

   Fetch the CSRF token

   
   

Use the metadata URL of the gateway service to fetch the CSRF token.

(The URL for fetching the csrf token differs from application to application. For workflow services, append ‘xsrf-token’ to the URL.

Eg: https://bpmworkflowruntimexxx.hana.ondemand.com/workflow-service/rest/v1/xsrf-token)

Perform a GET call and pass the following header:

Key: X-CSRF-Token



Value: fetch

 

In response, you will get the CSRF token as a header.

2. 
   

   Invoke the service with the CSRF token obtained from the previous call

   
   

Copy the CSRF token obtained from the previous call and paste it in the header of the post call, as shown below.



 

If the validation is unsuccessful, you will get a 403 – forbidden error, which means that the CSRF token validation failed. In such cases, check if the user has roles to trigger the URL and make sure you’ve copied the CSRF token from the previous call, properly. If there are no errors, you will get a 200 or 201 response.

 

Implementing it in SAP Cloud Platform Integration

Now let’s see how to implement the above in SAP Cloud Platform Integration.

Here, just passing headers will not be enough. We will also have to take care of the session cookies, which are internally handled by any REST client.

In the above example, we can view the session cookies being created, by adding the interceptor add-on in Postman.



We’ll be implementing this logic of retrieving the cookies using a groovy script.

 

IFLOW

 

Components used:

SL. No.	COMPONENT	DESCRIPTION
1	Sender Channel	HTTPs Sender channel to trigger the Iflow
2	Content Modifier 1	Set the header ‘x-csrf-token’ to fetch the CSRF token
3	Request Reply 1	Uses an HTTP channel to perform a get call to the gateway metadata URL.
4	Script	Fetches and set the session cookies
5	Content Modifier 2	Sets the content type and the payload for the post call
6	Request Reply 2	Uses an HTTP channel to perform the final POST call

 

1. 
   

   HTTPs Sender Channel

   
   

 

         2. Content Modifier 1

 

3. 
   

   Request Reply 1 – HTTP Receiver Channel

   
   

 

4. 
   

   Script

   
   

import com.sap.gateway.ip.core.customdev.util.Message;

import groovy.xml.*;

import java.io.*;

 

def Message processData(Message message) 

{

    def headers = message.getHeaders();

    def cookie = headers.get("Set-Cookie");

    StringBuffer bufferedCookie = new StringBuffer();

    for (Object item : cookie) 

    {

        bufferedCookie.append(item + "; ");      

    }

    message.setHeader("Cookie", bufferedCookie.toString());

    

    

    def messageLog = messageLogFactory.getMessageLog(message);

    if(messageLog != null)

    {

        messageLog.setStringProperty("Logging_Cookie", bufferedCookie.toString());

    }

    return message;

}

 

5. 
   

   Content Modifier 2

   
   

For testing purposes, I've set the payload in the content modifier



 

6. 
   

   Request Reply 2 – HTTP Receiver Channel

   
   

 

Once the IFLOW is deployed and triggered, you can see the cookie being set in the POST call, in the MPL logs and also in the response header in Postman.