Prevent Users From Accepting Warning To Bypass CSRF Validation [Updated in Security Center 1.3 and 1.5]

  • Release version: Zurich
  • Updated July 31, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Prevent Users From Accepting Warning To Bypass CSRF Validation [Updated in Security Center 1.3 and 1.5]

    This feature enhances security in ServiceNow Zurich release by enforcing strict validation of Cross-Site Request Forgery (CSRF) tokens. It prevents users from bypassing warnings related to mismatched CSRF tokens during POST requests, thus protecting the instance from potential CSRF attacks.

    Show full answer Show less

    Key Features

    • glide.security.csrf.strict.validation.mode Property: A system property that when set to true enforces strict CSRF token validation to prevent reuse and resubmission of requests with invalid or mismatched tokens.
    • Prevention of Token Reuse: If a POST request contains an anti-CSRF token tied to a different active session, the system blocks resubmission by removing the “Continue” button on the securityinterceptor.do page.
    • Protection Against CSRF Attacks: By enabling this property, users cannot inadvertently or maliciously submit requests that exploit leaked tokens from other sessions.

    Practical Impact for Customers

    • Security Enhancement: Prevents attackers from performing unauthorized operations on behalf of users by exploiting CSRF token vulnerabilities.
    • Recommended Configuration: Set glide.security.csrf.strict.validation.mode to true in System Properties to activate strict CSRF validation.
    • User Experience: Users will no longer see the option to bypass CSRF warnings, thereby blocking potential malicious request resubmissions.

    Security Considerations

    CSRF is a medium-risk vulnerability that can compromise data integrity by tricking users into submitting unauthorized requests. Enabling strict CSRF validation mitigates this risk by ensuring that only requests with valid and current session tokens are accepted.

    Use the glide.security.csrf.strict.validation.mode property to enable CSRF token strict validation. If the CSRF token doesn't match, it prevents resubmission of the request.

    This property prevents users from being able to accept a warning which allows a potentially malicious request to be sent to the instance. This warning appears when a POST request fails due to having a mis-matched anti-CSRF token belonging to one of the victim's other active sessions. If glide.security.csrf.strict.validation.mode is not set to the recommended value of true, then an attacker can formulate a CSRF attack utilizing a leaked anti-CSRF token from a different active session belonging to the victim. A POST request to an instance contains an anti-CSRF token within "sysparm_ck" or "X-UserToken" which matches the user's current session.

    If the anti-CSRF token is instead tied to one of the user's other active sessions, the POST request will return a 302 redirection to security_interceptor.do with a Continue button available to the user when this property is set to false. Clicking this button will re-submit the request to the instance, except it will now having a valid anti-CSRF token. When this property is set to true, the 302 redirection to the security_interceptor.do page will not display a Continue button and the user will not be allowed to resubmit the request.A successful CSRF attack will allow an attacker to effectively perform any operation that the victim is able to perform.

    More information

    Attribute Description
    Property name glide.security.csrf.strict.validation.mode
    Configuration type System Properties (/sys_properties_list.do)
    Category Access control
    Purpose To enforce strict validation of CSRF token, and prevents its reuse.
    Data type Boolean
    Recommended value true
    Default value true
    Security risk rating (Medium) Cross site Request Forgery is a significant security risk that violates the integrity of the instance data. An attacker can launch the CSRF attack on any instance user by abusing the trust of the instance user. With the help of social engineering attacks, a user can submit a malformed request to the instance on behalf of the attacker.
    Security risk rating 3.7
    Functional impact This remediation enables an extra validation step before the instance user submits a write request to the instance. It checks whether the current CSRF token has been used previously. If Yes, it prevents submission of further write requests.
    Security risk (Medium) Cross site Request Forgery is a significant security risk that violates the integrity of the instance data. An attacker can launch the CSRF attack on any instance user by abusing the trust of the instance user. With the help of social engineering attacks, a user can submit a malformed request to the instance on behalf of the attacker.

    Return to Configure and upload your customer supplied key to upload your wrapped key.