[Owasp-csrfguard] Redirect with token not working when query parameters present and TokenPerPage=true

Patrick Radtke pradtke at stanford.edu
Wed Jul 6 13:58:09 EDT 2011


I'm not sure how to submit a patch via github so I've attached one here.
I didn't see any place for unit tests in the current code base, so my 
testing was
manual in one of our apps.

-Patrick

On 7/5/11 5:07 PM, Patrick Radtke wrote:
> Hi,
>
> I needed support for appending the CSRF token as part of a redirect.
> I saw this feature was available in git, but there is a bug that prevents it
> from working when query parameters are present.
> Basically 'isValidRequest' ignores query params, while 'getTokenValue'
> doesn't.
>
> Example:
> I access
> /AccountApp/editmf
> which redirects to
> /AccountApp/editmf?execution=e1s1
>
> After adding CSRF Guard
> I access
> {/AccountApp/editmf?OWASP_CSRFTOKEN=RSDP-3A22-LV7E-Y53P-ZSBE-QCJG-DLQS-FL6K}
> the per page token is stored under the key '/AccountApp/editmf'
> The redirect is to '/AccountApp/editmf?execution=e1s1' which
> doesn't match the key, so the session token is used to construct the
> redirect url
> /AccountApp/editmf?execution=e1s1&OWASP_CSRFTOKEN=OWZF-U0O1-4LKU-W4UR-40KB-0LRI-6TMF-5GCM
> This happens in 'getTokenValue()'
>
> However, when isValidRequest after the redirect, only
> '/AccountApp/editmf' is used to check the pageTokens map,
> so the token no longer matches.
>
> The 'location' needs the query params stripped off. I'm not familiar enough
> with servlets to know if there is standard call to do that.
>
> (approx line 75 of CsrfGuardFilter)
> String location = redirectResponse.getLocation()
>
> This all works fine if TokenPerPage=false.
>
> thanks,
>
> Patrick
>
>
> _______________________________________________
> Owasp-csrfguard mailing list
> Owasp-csrfguard at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-csrfguard

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: redirect.patch
Url: https://lists.owasp.org/pipermail/owasp-csrfguard/attachments/20110706/dd87147f/attachment.pl 


More information about the Owasp-csrfguard mailing list