Cross-Site Request Forgery(CSRF) in Qlik Sense
Article Number: 000041038 | Last Modified: 2020/01/15
It detects Cross-Site Request Forgery when run penetration test against Qlik Sense.
What is the recommendation for this?
To exploit Cross-Site Request Forgery(CSRF) vulnerability attackers need to have administration permissions and upload malicious code.
To mitigate this risk the client has to implement a process to ensure that all code is reviewed prior to putting it into the production site.
Qlik R&D Security team doesn’t consider this a vulnerability because we do not use the Referer Header as a CSRF protection mechanism.
Additionally we have performed some testing attempting to a CSRF attack on several Sense versions and have been unable to successfully do so.
This was tested for Environments from February 2018 and higher.
CSRF is a very commonly detected "issue" during penetration testing against any web platform, not just Qlik Sense.
Please keep in mind that these are quite generate vulnerabilities and do not only apply to our software. We encourage you to keep security best-practices internally as this will be the most substantial contribution towards avoiding these types of attacks. A user must visit a compromised website first, then be using one of the plug-ins and a lot of assumptions are made in order to consider this a threat.
The security in Qlik Sense uses the current security standards in browsers. The software is not working with old browsers. However, it can not be said, that it would be impossible with some uncommon components to intercept the communication. But for that, Qlik would need to have a proof of concept, that this theoretical issue can be done in reality. Currently no one can provide this.
In order to avoid CSRF attack. the xrf key is passed in the get request and its value is compared with the xrf key in the http header if they match then the request is legitimate.
CSRF attacks can happen on both get and post requests passing the key on http post only will leave get requests vulnerable attacks.