[Owasp-csrfguard] issue deploying csrf guard

DeGrande, Rick Rick.DeGrande at firstdata.com
Tue Sep 27 19:29:41 EDT 2011


Need help.   I've deployed the csrf guard as documented. (added listener
and filter to web.xml, configured properties)

 

Below is the properties file.

 

I'm getting the following error:

 

 

*****************************************************

* Owasp.CsrfGuard Properties

*

* Logger: org.owasp.csrfguard.log.ConsoleLogger

* NewTokenLandingPage: null

* PRNG: SHA1PRNG

* SessionKey: OWASP_CSRFTOKEN

* TokenLength: 32

* TokenName: OWASP_CSRFTOKEN

* Ajax: false

* Rotate: false

* TokenPerPage: false

* Action: org.owasp.csrfguard.action.Log

*       Parameter: Message = potential cross-site request forgery (CSRF)
attack thwarted (user:%user%, ip:%remote_ip%, uri:%request_uri%,
error:%exception_message%)

* Action: org.owasp.csrfguard.action.Invalidate

*****************************************************

 

[9/27/11 18:02:35:092 EDT] 00000039 SystemOut     O [Tue Sep 27 18:02:35
EDT 2011] [Info] CsrfGuard analyzing request /mycontext/myuri

 

        at
com.ibm.ws.session.http.HttpSessionImpl.setAttribute(HttpSessionImpl.jav
a:248)

        at
com.ibm.ws.session.SessionData.putSessionValue(SessionData.java:292)

        at
com.ibm.ws.session.SessionData.setAttribute(SessionData.java:216)

        at
com.ibm.ws.session.HttpSessionFacade.setAttribute(HttpSessionFacade.java
:169)

        at
org.owasp.csrfguard.CsrfGuard.isValidRequest(CsrfGuard.java:316)

        at
org.owasp.csrfguard.CsrfGuardFilter.doFilter(CsrfGuardFilter.java:57)

        at
com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInst
anceWrapper.java:188)

 

 

This error occurs when it tries to set the following attribute on the
session:

 

/* 316*/        session.setAttribute("Owasp_CsrfGuard_Session_Key",
this);

 

This only happens when I try to access a uri that is protected.

 

Thanks in advance

 

 

 

# The OWASP CSRFGuard Project, BSD License

# Eric Sheridan (eric.sheridan at owasp.org), Copyright (c) 2011 

# All rights reserved.

#

# Redistribution and use in source and binary forms, with or without

# modification, are permitted provided that the following conditions are
met:

#

# 1. Redistributions of source code must retain the above copyright
notice,

#    this list of conditions and the following disclaimer.

# 2. Redistributions in binary form must reproduce the above copyright

#    notice, this list of conditions and the following disclaimer in the

#    documentation and/or other materials provided with the
distribution.

# 3. Neither the name of OWASP nor the names of its contributors may be
used

#    to endorse or promote products derived from this software without
specific

#    prior written permission.

#

# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
"AS IS"

# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
THE

# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE

# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS
BE LIABLE

# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
CONSEQUENTIAL DAMAGES

# (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
SERVICES;

# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
CAUSED AND ON

# ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR
TORT

# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
OF THIS

# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

 

org.owasp.csrfguard.Logger=org.owasp.csrfguard.log.ConsoleLogger

 

 

org.owasp.csrfguard.TokenPerPage=false

 

org.owasp.csrfguard.Ajax=false

 

 

org.owasp.csrfguard.unprotected.Login=/LoginController.htm

org.owasp.csrfguard.unprotected.LoginSuccess=/LoginSuccess.htm

org.owasp.csrfguard.unprotected.LogoutSuccess=/LogoutSuccess.htm

org.owasp.csrfguard.unprotected.LoginSuccess=/LoginSuccess.htm

org.owasp.csrfguard.unprotected.Contact=/Contact.htm

org.owasp.csrfguard.unprotected.Intro=/Introduction.htm

org.owasp.csrfguard.unprotected.Info=/InformationController.htm

org.owasp.csrfguard.unprotected.Faq=/FAQ.htm

org.owasp.csrfguard.unprotected.Security=/Security.htm

org.owasp.csrfguard.unprotected.Privacy=/Privacy.htm

org.owasp.csrfguard.unprotected.Accessibility=/Accessibility.htm

org.owasp.csrfguard.unprotected.Welcome=/Welcome.htm

 

 

 

org.owasp.csrfguard.action.Log=org.owasp.csrfguard.action.Log

org.owasp.csrfguard.action.Log.Message=potential cross-site request
forgery (CSRF) attack thwarted (user:%user%, ip:%remote_ip%,
uri:%request_uri%, error:%exception_message%)

org.owasp.csrfguard.action.Invalidate=org.owasp.csrfguard.action.Invalid
ate

 

 

org.owasp.csrfguard.TokenName=OWASP_CSRFTOKEN

 

org.owasp.csrfguard.SessionKey=OWASP_CSRFTOKEN

 

org.owasp.csrfguard.TokenLength=32

 

org.owasp.csrfguard.PRNG=SHA1PRNG

 




-----------------------------------------
The information in this message may be proprietary and/or
confidential, and protected from disclosure.  If the reader of this
message is not the intended recipient, or an employee or agent
responsible for delivering this message to the intended recipient,
you are hereby notified that any dissemination, distribution or
copying of this communication is strictly prohibited. If you have
received this communication in error, please notify First Data
immediately by replying to this message and deleting it from your
computer. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-csrfguard/attachments/20110927/1efc7981/attachment-0001.html 


More information about the Owasp-csrfguard mailing list