Cross Site Request Forgery (CSRF)
Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated.
QRadar API CSRF
QRadar APIs use a CSRF token to protect against CSRF vulnerabilities. The QRadar CSRF token is generated by QRadar and then added to API calls and HTTP requests as a cookie or header with the key QRadarCSRF
.
If an app makes requests to the QRadar API, it must use this QRadarCSRF
token to pass CSRF checks. The token is stored as a cookie so it can be retrieved either through JavaScript or by your app’s backend reading the cookie from an HTTP request to it. This is done automatically by the QJSLib and QPyLib libraries when making HTTP requests to the QRadar API.
CSRF in apps
If targeting QRadar versions 7.3.3 FixPack 9 and above apps can make use of QRadar CSRF to protect endpoints.
Apps should implement CSRF protection, with the recommended approach using WTForms and Flask-WTF to handle generating CSRF tokens and validating them. See ‘Adding CSRF protection’ to see how to use Flask-WTF with a QRadar app.