[Owasp-csrfguard] Redirect with token not working when query parameters present and TokenPerPage=true

Patrick Radtke pradtke at stanford.edu
Tue Jul 5 20:07:17 EDT 2011


Hi,

I needed support for appending the CSRF token as part of a redirect.
I saw this feature was available in git, but there is a bug that prevents it
from working when query parameters are present.
Basically 'isValidRequest' ignores query params, while 'getTokenValue' 
doesn't.

Example:
I access
/AccountApp/editmf
which redirects to
/AccountApp/editmf?execution=e1s1

After adding CSRF Guard
I access
{/AccountApp/editmf?OWASP_CSRFTOKEN=RSDP-3A22-LV7E-Y53P-ZSBE-QCJG-DLQS-FL6K}
the per page token is stored under the key '/AccountApp/editmf'
The redirect is to '/AccountApp/editmf?execution=e1s1' which
doesn't match the key, so the session token is used to construct the 
redirect url
/AccountApp/editmf?execution=e1s1&OWASP_CSRFTOKEN=OWZF-U0O1-4LKU-W4UR-40KB-0LRI-6TMF-5GCM
This happens in 'getTokenValue()'

However, when isValidRequest after the redirect, only 
'/AccountApp/editmf' is used to check the pageTokens map,
so the token no longer matches.

The 'location' needs the query params stripped off. I'm not familiar enough
with servlets to know if there is standard call to do that.

(approx line 75 of CsrfGuardFilter)
String location = redirectResponse.getLocation()

This all works fine if TokenPerPage=false.

thanks,

Patrick




More information about the Owasp-csrfguard mailing list