QRadar CSRF

QRadar 7.3.3 Fix Pack 9 and later allows apps to use QRadar’s CSRF validation to protect against CSRF vulnerabilities. This simplifies protecting app endpoints from CSRF attacks, with QRadar apps not having to provide their own protection against these attacks.

Configuring QRadar app CSRF protection

Apps can enable CSRF protection by setting the use_qradar_csrf flag in their app manifest files:

{
    ...
    "use_qradar_csrf": "true"
}

The use_qradar_csrf means that any POST/PUT/DELETE/PATCH request to the app that is not from an authorized service or from an internal QRadar process will require a valid CSRF token provided as a header in the request, if an invalid token or no token is provided the request will fail with a 403 Forbidden error.

The CSRF token should be included in the header of the request with the key QRadarCSRF. Use the QJSLib JavaScript library to handle populating this header automatically. If you are not using QJSLib you can manually access the QRadar CSRF token by reading the QRadarCSRF cookie in the browser.

CSRF protection process

  1. The user loads a page in the QRadar user interface with the app on it with a GET|HEAD|OPTIONS|TRACE request, such as an area.
  2. This request generates a cookie which is stored in the browser called QRadarCSRF which can be used to validate HTTP requests if provided as a header in the request.
  3. The user performs an action that uses a POST|PUT|DELETE|PATCH request, the CSRF token is added as a header to this request.
  4. QRadar handles the request, if the CSRF token is provided and valid then the request will be forwarded to the app’s endpoints, if it is not provided or invalid a 403 Forbidden error will be returned.

Limitations

  • QRadar CSRF is applied across every endpoint in the app, it cannot be selectively applied per endpoint.
  • CSRF tokens must be provided in the header of the request, this is the only supported method of providing a CSRF token. This means that HTML forms are not supported by QRadar CSRF, since HTML forms cannot set headers, instead JavaScript should be used to make the request.
  • When using any QRadar GUI actions with an app, make sure they are using GET|HEAD|OPTIONS|TRACE, if they use POST|PUT|DELETE|PATCH they will fail as they will not be provided with the QRadar CSRF token.

See ‘Using QRadar CSRF’ to see how to use QRadar CSRF with a QRadar app.