[Owasp-csrfguard] Cant Get Forms Working

Patrick Radtke pradtke at stanford.edu
Sat Jul 30 16:56:10 EDT 2011


On 7/29/11 8:59 AM, Nirav wrote:
> Hi Patrick,
>
> Thanks for replying. We are using the Javascript DOM Manipulation. The 
> application POSTs to a URL without the token.
> The token's included in the Referer header. A firebug snapshot attached.
>
> Thanks!
> Nirav

Nirav,

The token should be added as a hidden form field. The referer header 
just shows which page you were posting from, in
your case you are posting from a page that had a token in the URL.

I would use a javascript debugger and look at why the token isn't being 
added as a hidden from field.

-Patrick
>
>
>
> On Fri, Jul 29, 2011 at 4:45 PM, Patrick Radtke <pradtke at stanford.edu 
> <mailto:pradtke at stanford.edu>> wrote:
>
>     On 7/29/11 7:29 AM, Nirav wrote:
>>     Hello All !
>>
>>     I just got the latest version of the CSRFGuard from github and
>>     built it and deployed it on our application on Glassfish 2.1. We
>>     use Stripes as our MVC. Most parts of the app seem to be working
>>     fine and I see the token being injected where it should be. But I
>>     cant get any of the forms to work. The POST in firebug shows the
>>     token being sent. But when its intercepted by the CSRFGuardFilter
>>     - it does not find it. I debugged further and found that there
>>     were no request parameters at all in my HTTPRequest !
>>
>>     Any idea what the weirdness is? We have been at it for two days
>>     now ! :(
>>
>>     Regards!
>>     Nirav
>>
>     Are you posting with the token as a form parameter, or are you
>     posting to URL that contains the token?
>     We post to a url that contains the token and that works fine.
>     Are you using the JavaScript library or the JSTL tags?
>
>     -Patrick
>
>
>
>     _______________________________________________
>     Owasp-csrfguard mailing list
>     Owasp-csrfguard at lists.owasp.org
>     <mailto:Owasp-csrfguard at lists.owasp.org>
>     https://lists.owasp.org/mailman/listinfo/owasp-csrfguard
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-csrfguard/attachments/20110730/2a9bc20c/attachment.html 


More information about the Owasp-csrfguard mailing list