web
You’re offline. This is a read only version of the page.
close
Skip to main content

Notifications

Announcements

No record found.

News and Announcements icon
Community site session details

Community site session details

Session Id :
Dynamics 365 Community / Forums / Microsoft Dynamics AX (Archived) / AX 2012 EP CSRF/XSRF p...
Microsoft Dynamics AX (Archived)

AX 2012 EP CSRF/XSRF prevention

(0) ShareShare
ReportReport
Posted on by Community Member

Hi All,

Any ideas on how to prevent AX2012 Enterprise Portal (EP) Cross-site request forgery (CSRF/XSRF)? 

For sure now AX2012 EP doesn't have such feature. If add one page by one page, it will be quite troublesome.

Any share/common page that can use to add the XSRF prevention code? I checked, edit the master page is not enough because many pages such as dialog box are not using the master page. Or is it anything I missed out on the master page?

Thank you very much.

*This post is locked for comments

I have the same question (0)
  • Rodolfo Recalde Profile Picture
    Rodolfo Recalde on at

    Hi,

    I'm not a security expert, though, I've worked on several EP projects in AX 2009 and AX 2012 (R2 - R3) for large companies. I've followed security company audits that test for possible vulnerabilities of AX components, with Enterprise Portal being one of them.
    This type of vulnerability has never been cited in a security clearance report. So, first of all, thank you very much for sharing this question with us.


    As you may already know, Enterprise Portal is based on the SharePoint platform. From what I've been able to search, SharePoint has some functionality to avoid CSRF vulnerabilities.

    Check this link and this link.


    I share with you a security change that can influence this vulnerability scenario.

    Set Disabled in Form Authentication option in Enterprise Portal web site in IIS, Authentication section. Also review advanced settings.

    3107.IIS_5F00_form_5F00_authentication_5F00_EP_5F00_DAX_5F00_RECALDE.png

    Figure 1

     

    There may be some security conflict, depending on your settings, in which case, you can disable / off (compare your environment with the figure 1 [all groups]) test in a non-production environment, with backup.

    However, if you use anonymous access to the EP, these changes can influence in authentication.


    Some other questions:

    What is the version of AX/EP [R2, R3, CU9,10,11...] you are analyzing?

    What is the SharePoint version?

    Does the EP site have anonymous access?

    Does the EP site have users outside the domain?

    I have not yet had time to set up a scenario to try to replicate that vulnerability. Would it be possible for you to share, step by step, how your test was done, to find this vulnerability?

    I hope this Helps!

    Regards,

    Rodolfo Recalde

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

Quick Links

Responsible AI policies

As AI tools become more common, we’re introducing a Responsible AI Use…

Neeraj Kumar – Community Spotlight

We are honored to recognize Neeraj Kumar as our Community Spotlight honoree for…

Congratulations to the November Top 10 Community Leaders!

These are the community rock stars!

Leaderboard > 🔒一 Microsoft Dynamics AX (Archived)

#1
Martin Dráb Profile Picture

Martin Dráb 4 Most Valuable Professional

#1
Priya_K Profile Picture

Priya_K 4

#3
MyDynamicsNAV Profile Picture

MyDynamicsNAV 2

Last 30 days Overall leaderboard

Featured topics

Product updates

Dynamics 365 release plans