Is Cross Site Request Forgery (CSRF) & XSS applicable to RPG coding?

I refer to above url

a) is the above url's sample codes RPG codes?

b) are CSRF & XSS secure coding applicable to RPG coding?
Who is Participating?
Gary PattersonConnect With a Mentor VP Technology / Senior Consultant Commented:
Who knows, maybe your colleagues are using a framework that includes good input validation, or have built and maintain good input validation routines that make their sites invulnerable to these attacks.I'd need to see your production code to comment.  

Maybe all the UI layer is managed by another software layer, and all the RPG programs see are nice validated input.

Maybe they are living in AS/400 security dreamland:  a place where nothing bad can ever happen to you because you because you run a magical operating system that even protects them against programmer errors and ignorance.

But there is nothing in RPG (I'm an IBM i / iSeries AS400 RPG programmer with almost 3 decades of experience) that provides automatic protection from these attacks.  It has nothing to do with the inherent security of the operating system - this is all about understanding web application security, and how to prevent common attacks through input validation.

For RPG, good luck with source vulnerability scanners.  They need to understand the programming language, and most don't - not even IBM's AppScan Source product (which really is a great product- I've used it in the past):

There are two approaches to web application security (we prefer using both for web-facing mission critical applications):

Application scanning applications - which typically simulate an attack to determine if a vulnerability exists.

Source scanning applications - which search application search code for high-code patterns (or missing validation code patterns).

For applications that depend on less-widely used web programming languages like RPG, I suggest you look at application scanning tools, as opposed to source scanning tools.
sunhuxAuthor Commented:
RPG is the coding used in AS400 or OS400
btanConnect With a Mentor Exec ConsultantCommented:
The site shows the RPG typing for the mentioned CGI program which takes in the csrftoken.
D CSRFToken       S            256                          
D CSRFTokenCookie...                                        
D                 S            256                          


CSRFToken = #getData('CSRFToken');          
CSRFTokenCookie = #getCookie('CSRFToken');
You can check out the IBM site on RPG programming codes, note the syntax!/wiki/We13116a562db_467e_bcd4_882013aec57a/page/Coding%20in%20RPG%20IV%20-%20Chapter%202%20General%20info%20about%20RPG

Secure coding on web vulnerabilities as mentioned applys in the concept, it is not only web based. For e.g. general SQL secure practices also apply to DB2 on the iSeries (injection protection and such) which includes embedded SQL in RPG programs.

See secure coding for business oriented languages like COBOL and RPG which are application driven fronted mostly by web based services. Application based tend to interface with DB tier hence the below shows gaps specific to SQL injection coding

RPG language is used today in IBM platforms, on mainframe and mid-range systems (iSeries, AS/400 or whatever brand IBM currently uses). “Attack surface” is similar to COBOL, with security concerns in RPG code not well-known, as with COBOL.

Regarding technical flaws, RPG uses EXEC SQL for embedded code, that is safe unless dynamic SQL is used
Easily Design & Build Your Next Website

Squarespace’s all-in-one platform gives you everything you need to express yourself creatively online, whether it is with a domain, website, or online store. Get started with your free trial today, and when ready, take 10% off your first purchase with offer code 'EXPERTS'.

☠ MASQ ☠Commented:
RPG is the coding used in AS400 or OS400
That's a relief! I was trying to work out how CSRF could be used as an exploit in Role Playing Games!
Gary PattersonConnect With a Mentor VP Technology / Senior Consultant Commented:
1a) Yes, CGI example shown is RPG.

1b). Yes.  RPG applications can be vulnerable to CSRF & XSS if proper precautions are not taken - same as any programming language.
shalomcConnect With a Mentor CTOCommented:
CSRF and XSS vulnerabilities exist because of how http web servers and web clients interface and operate, regardless of the platform the server runs on. It could be php, or java, or node.js, or RPG.

Sometimes you as a programmer use a framework that attempts to mitigate those risks, but they are always there, and must be dealt with. To deal with CSRF, XSS and other application level attack like content injections, you must first understand what they do and how they can be invoked. I strongly suggest to look at the OWASP top 10.

You will notice that although some server side examples are presented in php or java, they are applicable in all programming languages and frameworks, even in RPG.

Especially in RPG, since IBM i developers who turned to web tend to be too arrogant in their false presumption that they have the best and most secure platform in the world.
sunhuxAuthor Commented:
Thanks Gary, Shalom.

I'm facing resistance from my colleagues in apps teams doing Cobol & RPG coding who categorically
claim that XSS & CSRF & X-Frame-Option (=SAMEORIGIN to deal with clickjacking) are irrelevant &
inapplicable to RPG & Cobol.

If you could indicate short Cobol & RPG codes that allude to XSS & clickjacking vulnerabilities or
provide more links that explicitly indicate so, it would help to convince them

One side question:
an external consultant for secure coding told me that opensource source code scanner (eg: Yasca)
usually detect about 20% of poor/insecure codes only while paid scanners (specifically he says
Fortify & Appscan) usually detect about 3 times more for the same piece of codes: any truth?
btanConnect With a Mentor Exec ConsultantCommented:
You should also include SQLi, this is also one of the top major web vulnerability (also in OWASP)
- sample for COBOL and RPG (as in my last post) -

To further this, Appscan (scan tool) also advocate the flaw checks in COBOL source code. Instead you should ask the code to scan using the scanner instead of getting any other codes to reflect for assurance
How do you learn about COBOL scan rules in IBM Security AppScan Source for Security - and what are some of the potential vulnerabilities in COBOL source code?


 COBOL files (.cbl) can be directly imported into AppScan Source for security scanning.

 From a security perspective, COBOL applications have similar considerations to any other kind of application. AppScan Source can help you identify high risk locations within your COBOL application - and assist you in their remediation.
btanConnect With a Mentor Exec ConsultantCommented:
YASCA coverage is dependent more on the plugin it supports, like some of the external plugins distributed with Yasca are as below. But note the plugin will be file extension specific to invoke scan. For instance, a plugin that scans Java source code can be configured to only scan files with the .java extension.
 Grep Plugin. Uses external GREP files to scan target files for simple patterns.
 PMD Plugin. Uses PMD to parse and scan Java (and JSP) source code for issues.
 JLint Plugin. Uses J-Lint to scan Java .class files for issues.
 antiC Plugin. Uses antiC to scan Java and C/C++ source code for issues.
 FindBugs Plugin. Uses FIndBugs to scan Java class and Jar files for issues.
 Lint4J Plugin. Uses Lint4J to scan Java .class files for issues.

The grep plugin is useful in having extended coverage as long as you can supplied the valid PCRE-style regular expression for the flaw including OWASP. For more info, see this
shalomcConnect With a Mentor CTOCommented:
Hi sunhux,

Obviously your colleagues are clueless to the nature of CSRF and XSS.
Please read the OWASP examples and show them that XSS and CSRF are platform agnostic, and are as applicable to COBOL web apps as to PHP code.

You can also tell them that the author of this book told you personally that using COBOL does not make a web application immune to these attacks.  

COBOL and RPG, although poor choices for web development, are capable to deal with web based attacks ONLY IF you make them so, not by any inherent nature.

The only way for COBOL and RPG to be irrelevant is if all of the web interface is managed by an external platform, and COBOl/RPG are used as a data backend to that. But then SQL injection must still be ruled out.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.