Excellent support from HCL
A recent customer security audit raised two concerns with our Domino SaaS applications. A significant part of the reason that we use HCL Domino is that it is robust and secure. As a matter of principle we do not code security ourselves but use the standard functionality provided by HCL. So we reached out to HCL and had great support.
CSRF Protection
The first issue raised was a Cross Site Request Forgery ( CSRF ) concern. The best resource to explain this attack vector is the Cross-Site Request Forgery Prevention – OWASP Cheat Sheet Series
The main recommendation is “Check if your framework has built-in CSRF protection and use it” followed by a description of the “Synchronizer Token Pattern”. This rang alarm bells since, as described above, we do not code our own security.
I was very pleasantly surprised when within 48 hours of raising this with HCL they advised that since V10 of Domino all new** XPage applications do this automatically. New means nsfs that were created from scratch in version 10 or higher. This has not been documented as far as I can see.
If you look in a new NSF the xsp.properties contains a setting xsp.csrf.protection=true .
This enables a built-in framework for CSRF protection 😊 and was very easily retrofitted to our existing NSFs.
When this feature is enabled every XPage contains a token such as <input type=”hidden” name=”$$viewid” id=”view:_id1__VUID” value=”!1to6ah3iyy1uc2gquai14d7ik!”> . If the returned XPage does not have this same token then an error is generated. The error will be CLFAD0253E: Cannot find a page instance corresponding to the ID: $$viewid=!aaaaaaaaaa!. It may have expired. Try loading the web page
Although there was some frustration that this was not documented it was fantastic that it had been added to XPages and is a good demonstration that XPages is still supported.
Session Strength ( Entropy )
The second issue was what the external auditors described as “SessionStrength”. They raised a concern that the LTPA tokens lacked Entropy and were therefore insecure. This is the OWASP note on this concern – Session Management – OWASP Cheat Sheet Series
HCL were confused by this finding as they did not feel that Entropy was relevant. To address this they raised this formal tech note – IBM WebSphere LTPA tokens with Domino (hcltechsw.com) so that we could share this with our customer. This is the kind of service that really matters.
Conclusion
This is a really good example of why we put our faith in HCL. We have a team of 5 very capable technical people but we cannot know everything. We therefore rely heavily on HCL, and the HCL Domino platform. These are great examples of why we should.
A frustration is that some important changes are not being documented ( such as jQuery ) . Hopefully this is just a temporary consequence of the transition from IBM to HCL.
I do get a little jealous of the Microsoft .Net approach where all of the reported bugs seem to be visible and dealt with in a structured way – I don’t live in that project so maybe the reality is different but it would make our lives ( and HCL’s ? ) easier to be able to see what problems others are having with new Fix Packs rather than relying on twitter, which is essentially gossip.
One small step in the right direction may be this idea – Complete reference for xsp.properties