Thursday, May 2, 2013

Cross-Site Request Forgery (CSRF) in weblogic /osb 11g



          Recently while I was doing continuous testing in OSB Console and collecting the performance metrics, the server was not responding. When we started digging in we saw that the Admin server was down and it was throwing Could not discover URL for server 'AdminServer' error.
ErrorLog
<Cannot contact the admin server. Therefore constructing the Cluster Authority Current time with the time skew 0
java.rmi.UnknownHostException: Could not discover URL for server 'AdminServer'
        at weblogic.protocol.URLManager.findURL(URLManager.java:145)
        at com.bea.alsb.platform.weblogic.topology.WlsRemoteServerImpl.getInitialContext(WlsRemoteServerImpl.java:94)
        at com.bea.alsb.platform.weblogic.topology.WlsRemoteServerImpl.lookupJNDI(WlsRemoteServerImpl.java:54)
        at com.bea.wli.sb.init.RemoteClusterTimerAuthority.getTimerAuthority(RemoteClusterTimerAuthority.java:59)
        at com.bea.wli.sb.init.RemoteClusterTimerAuthority.getClusterTimerAuthorityCurrentTime(RemoteClusterTimerAuthority.java:33)
        at com.bea.wli.timer.TimeSkewSynchronizer$TimeSkewSynchronizerTask.run(TimeSkewSynchronizer.java:47)

When we did some more research, it looked like a CSRF attack.
ErrorLog
A Cross-site request forgery (CSRF) has been detected. Task=com.bea.console.actions.changemgmt.StopEditAction address=10.111.11.10 user=george
Not sure what triggered it, but it was nice to know more on CSRF from oracle blogs and Wiki.
Cross-Site Request Forgery (CSRF), also known as Cross-Site Reference Forgery (XSRF), Session Riding is a type of malicious exploit where unauthorized requests are transmitted from a user to a trusted website (the target). CSRF exploits the trust that the targeted site has in a user’s browser and generally works by embedding a link or script in a malicious page to access a site to which the user has already been authenticated.

No comments: