[Owasp-csrfguard] csfrguard doesn't seem to work with my frames

Patrick Radtke pradtke at stanford.edu
Fri Oct 28 12:50:23 EDT 2011


You can add the urls that you don't want protected to a list of 
unprotected_pages.

https://www.owasp.org/index.php/CSRFGuard_3_Configuration#Unprotected_Pages

On 10/28/11 9:23 AM, Sam Theman wrote:
> Hello,
>
> PLEASE HELP!
>
> I have CSRFGuard working for my application, EXCEPT if I use frames.
>
> See the below sequence. I have an iframe in the frames.jsp, but is says
> it is missing the token... see below code also... can anyone help????
>
> [Fri Oct 28 12:20:35 EDT 2011] [Info] CsrfGuard analyzing request
> /crs/frames.jsp
> [Fri Oct 28 12:20:38 EDT 2011] [Info] CsrfGuard analyzing request
> /crs/JavaScriptServlet
> [Fri Oct 28 12:20:38 EDT 2011] [Info] CsrfGuard analyzing request
> /crs/HelloServlet (in my iframe)
> [Fri Oct 28 12:20:38 EDT 2011] [Error] potential cross-site request
> forgery (CSRF) attack thwarted (user:<anonymous>, ip:129.6.84.222,
> uri:/crs/HelloServlet, error:required token is missing from the request)
> [Fri Oct 28 12:20:38 EDT 2011] [Info] CsrfGuard analyzing request
> /crs/error.html
> [Fri Oct 28 12:20:38 EDT 2011] [Info] CsrfGuard analyzing request
> /crs/HelloServlet
> [Fri Oct 28 12:20:38 EDT 2011] [Error] potential cross-site request
> forgery (CSRF) attack thwarted (user:<anonymous>, ip:129.6.84.222,
> uri:/crs/HelloServlet, error:request token does not match session token)
> [Fri Oct 28 12:20:38 EDT 2011] [Info] CsrfGuard analyzing request
> /crs/error.html
>
>
>
> frames.jsp ::::
>
> <html>
> <head>
> <title>Main screen</title>
> </head>
> <script src="/crs/JavaScriptServlet"></script>
>
> <iframe src="/crs/HelloServlet"></iframe>
> </html>
>
>
>
> _______________________________________________
> Owasp-csrfguard mailing list
> Owasp-csrfguard at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-csrfguard



More information about the Owasp-csrfguard mailing list