Protection Against Cross-Site Request Forgery - Konftel 800 Installation & Administration

SECURITY AND PROTECTION
Log in as the administrator.
On the phone screen tap
Disable
Web Access
Tap the
Arrow Left
The phone reboots to apply the changes.
• To disable web access through the web interface, do the following:
Log in to the web interface.
Click
Provisioning
In the
Device Management
You can see the following warning message: You will not be
able to access phone administration web interface after
disabling Web Access.
Click .
Save
• To disable web access by using the .xml configuration file, do the following:
Locate the <httpd> section in the configuration file.
In the <enable> line, change the value to false.
Save the file.
Import the configuration file through the web interface.
The phone reboots to apply the changes.
PROTECTION AGAINST CROSS-SITE REQUEST
FORGERY
When the user logs in to the web interface of Konftel 800 with the administrator
password, the web application of the phone uses specific tokens to protect against
Cross-Site Request Forgery (CSRF) attacks.
CSRF is an attack that tricks the user into submitting a malicious request. The
attacker takes the identity and privileges of the user to make undesired actions on
the user's behalf. CSRF attacks target functionality that causes a state change,
for example changing the user's password. If the user stays authenticated to the
website during the attack, the website can not distinguish between forged and
legitimate requests.
Konftel 800 generates a new CSRF token on each request. Each link or parameter
change in the web interface needs to have a CSRF token as a request parameter.
The web application checks if the token in the request is the correct one. For
example, if the attacker copies an existing link from the open web interface of
Settings > Admin > Device Management
.
icon twice to return to the home screen.
.
section, disable
160
.
Web Access
.