What is CSRF

Cross-Site Request Forgery (CSRF) is the security vulnerability in web applications which allows to perform actions in Jenkins from other websites. Its highly recommended to enable CSRF to protect Jenkins from cross site operations.

CSRF protection is the concept of creating crumb (token) for the Jenkins and the user must provide crumb every time to build or change the Jenkins configuration.

CSRF protection is enabled by default from Jenkins 2.222.x release and option to disable CSRF is deprecated in “Configure Global Security” from UI.

Enable CSRF Protection

To enable CSRF, Navigate to the below path and set the system property as below

Login to Jenkins -> Manage Jenkins -> Script Console

hudson.security.csrf.GlobalCrumbIssuerConfiguration.DISABLE_CSRF_PROTECTION = false

Crumb Issuer encodes the following information in the hash used as crumb:

  • The username that the crumb was generated for
  • The web session ID that the crumb was generated in
  • The IP address of the user that the crumb was generated for
  • A unique to this Jenkins instance

CSRF Protection is enabled by default, and you need crumb to run Jenkins configuration remotely.

Disable CSRF Protection

To disable CSRF, Navigate to the below path and set the system property as below

Login to Jenkins -> Manage Jenkins -> Script Console

hudson.security.csrf.GlobalCrumbIssuerConfiguration.DISABLE_CSRF_PROTECTION = true

How to run Jenkins jobs remotely

API Token

Requests authenticating Jenkins with an API token are exempt from CSRF protection.

Below is the webhook endpoint to trigger Jenkins job remotely from Bit Bucket.

http://dptuser:11f3a4098bc743f597d4cb89fc9b03a9a8@54.165.163.154:8080/job/demo/build?token=12345

Password

Requests authenticating Jenkins with a password are not exempted from CSRF protection. You must disable CSRF to manage the Jenkins configuration remotely.

Below is the webhook endpoint to trigger Jenkins job remotely from Bit Bucket.

http://dptuser:dptpassword@54.165.163.154:8080/job/demo/build?token=12345

Crumb

Scripted clients must request for crumb ID and remote requests to trigger build or changing configuration requires that the crumb be provided.

Jenkins API “crumbIssuer/api” used to issues crumb, run the below wget command to generate crumb

wget –user=dptuser –password=dptpassword –auth-no-challenge -q –output-document – ‘http://54.196.186.91:8080/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,”:”,//crumb)’

You must include crumb in the request to build or change Jenkins configuration.

Below is the POST request to trigger Jenkins job remotely.

curl -X POST http://dptuser:dptpassword@54.196.186.91:8080/job/dptbuild/build?crumb=ee9dce3675a32906d9a547fb1d2f3bf2b353f704e4293978cfc462de5c1cfc4c

Note: Requests authenticating Jenkins using username and API token are exempt from CSRF protection in Jenkins.

Video : https://www.youtube.com/watch?v=nqoVPCJGQOg

© Edwiki Trainings – Click HERE If you are interested to learn more on Cloud & DevOps stack.

0 Shares:
Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like