[Owasp-csrfguard] URL Rewriting in CSRF Guard

Eric Sheridan eric.sheridan at owasp.org
Wed Feb 9 09:24:56 EST 2011


Alex,

> Could that be?

Yes - this is entirely possible. There are two ways CSRFGuard will
redirect the use when the context is first initialize: default landing
page and, if the default landing page is unspecified, an auto posting
form to the same URI without any parameters.

On a side note: I am planning on releasing a new ALPHA version which
more correctly constructs the URI in this auto-posting form such that
path parameters are not included.

> Is there a workaround for my problem?

I'm sure there is a way to do this through configuration. Try setting
your default landing page to a page for which CSRFGuard has no
visibility. This is a page that either a) is not accessible to the
Filter mapping and or b) a page that is marked as 'unprotected' in
Owasp.CsrfGuard.properties. I'd be interested to see if these
modifications affect your situation.

Another work around is to disable URL rewriting in your application.
This seems ideal from my perspective - as someone who has zero business
context of your app and only a minor technical context :) URl rewriting
has an associated security risk. Disabling URL rewriting should mitigate
the risk of session identifier in the URL AND it *should* fix your
CSRFGuard problem. Are you in a position where you can disable URL
rewriting in your application?

Perhaps the last thing I could try is allowing the user to optionally
include params/sessionid in the request to the 'default landing page' by
adding a couple more configuration capabilities in
Owasp.CsrfGuard.properties. I'd prefer not to do this though as it
increases the risk of users disclosing session ids and or increases the
risk of a 'one time csrf attack' against a user who's csrf context has
not yet been initialized and where the default landing page performs
some operation (or, if not defined, the requested context/servlet path
performs some operation).

Winded response... hope that helps.

-Eric

On 2/9/11 8:13 AM, Alexander_Gempp at rcomext.com wrote:
> Hi,
> 
> I've got a question regarding the Java version of the guard.
> 
> I tried using it without cookies. Looks like get stuck in a loop because 
> the dynamic form for redirecting to the 'default token landing page' 
> removes my session url. Could that be?
> 
> Is there a workaround for my problem?
> 
> Best regards,
> Alex
> 
> 
> 
> 
> 
> This e-mail, including attachments, is intended for the person(s) or company named and may contain confidential and/or legally privileged information. Unauthorized disclosure, copying or use of this information may be unlawful and is prohibited. If you are not the intended recipient, please delete this message and notify the sender.
> All incoming and outgoing e-mail messages are stored in the Swiss Re Electronic Message Repository. If you do not wish the retention of potentially private e-mails by Swiss Re, we strongly advise you not to use the Swiss Re e-mail account for any private, non-business related communications.
> 
> 
> 
> _______________________________________________
> Owasp-csrfguard mailing list
> Owasp-csrfguard at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-csrfguard



More information about the Owasp-csrfguard mailing list