[Owasp-csrfguard] Cant Get Forms Working

Nirav nirav.shah83 at gmail.com
Mon Aug 1 10:28:03 EDT 2011


Hello!

Thanks for your suggestion below. I did further prod into the HTML source
and need some help understanding how the form submission works. As you can
see from the attached screenshot, there is a hidden field that gets inserted
into the HTML, it just doesn't get used. Where should I be looking for the
code that actually makes the form submit with the hidden field?

Thanks!
Nirav


On Sat, Jul 30, 2011 at 9:56 PM, Patrick Radtke <pradtke at stanford.edu>wrote:

>  On 7/29/11 8:59 AM, Nirav wrote:
>
> Hi Patrick,
>
> Thanks for replying. We are using the Javascript DOM Manipulation. The
> application POSTs to a URL without the token.
> The token's included in the Referer header. A firebug snapshot attached.
>
> Thanks!
> Nirav
>
>
> Nirav,
>
> The token should be added as a hidden form field. The referer header just
> shows which page you were posting from, in
> your case you are posting from a page that had a token in the URL.
>
> I would use a javascript debugger and look at why the token isn't being
> added as a hidden from field.
>
> -Patrick
>
>
>
>
> On Fri, Jul 29, 2011 at 4:45 PM, Patrick Radtke <pradtke at stanford.edu>wrote:
>
>>   On 7/29/11 7:29 AM, Nirav wrote:
>>
>> Hello All !
>>
>> I just got the latest version of the CSRFGuard from github and built it
>> and deployed it on our application on Glassfish 2.1. We use Stripes as our
>> MVC. Most parts of the app seem to be working fine and I see the token being
>> injected where it should be. But I cant get any of the forms to work. The
>> POST in firebug shows the token being sent. But when its intercepted by the
>> CSRFGuardFilter - it does not find it. I debugged further and found that
>> there were no request parameters at all in my HTTPRequest !
>>
>> Any idea what the weirdness is? We have been at it for two days now ! :(
>>
>> Regards!
>> Nirav
>>
>>   Are you posting with the token as a form parameter, or are you posting
>> to URL that contains the token?
>> We post to a url that contains the token and that works fine.
>> Are you using the JavaScript library or the JSTL tags?
>>
>> -Patrick
>>
>>
>>
>> _______________________________________________
>> Owasp-csrfguard mailing list
>> Owasp-csrfguard at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-csrfguard
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-csrfguard/attachments/20110801/09df0274/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: HTMLSource.JPG
Type: image/jpeg
Size: 103874 bytes
Desc: not available
Url : https://lists.owasp.org/pipermail/owasp-csrfguard/attachments/20110801/09df0274/attachment-0001.jpe 


More information about the Owasp-csrfguard mailing list