[Owasp-csrfguard] Error while using Owasp.CsrfGuard.jar

Paul Volpe - QV0CD-C paul.volpe at gsa.gov
Wed Dec 12 16:11:57 UTC 2012


Ok.  That helps and makes sense.  In other words, the pattern *.** is not
really a good idea -- instead, it should be mapped to some value used by
your application to indicate JavaScript and AJAX calls.

On Wed, Dec 12, 2012 at 11:08 AM, P Manchanda <manchandap at yahoo.com> wrote:

> Hi Paul,
>
> Not sure about your exact query but here is the details of the parameter
> from OWASP's page:
>
> https://www.owasp.org/index.php/CSRFGuard_3_Token_Injection
>
> Allows the developer to specify a regular expression describing the
> required value of the Referer header. Any attempts to access the servlet
> with a Referer header that does not match the captured expression is
> discarded. Inclusion of referer header checking is to help minimize the
> risk of JavaScript Hijacking attacks that attempt to steal tokens from the
> dynamically generated JavaScript. While the primary defenses against
> JavaScript Hijacking attacks are implemented within the dynamic JavaScript
> itself, referer header checking is implemented to achieve defense in depth.
>
>
>
> ___________________
> Thks & brgds
> P Manchanda
> Mobile: +91-9811210374 <http://geocities.com/manchandap/>
>
>   ------------------------------
> *From:* Paul Volpe - QV0CD-C <paul.volpe at gsa.gov>
> *To:* P Manchanda <manchandap at yahoo.com>
> *Cc:* sravani chukka <sravs63 at gmail.com>; "owasp-csrfguard at lists.owasp.org"
> <owasp-csrfguard at lists.owasp.org>
> *Sent:* Wednesday, 12 December 2012, 21:23
> *Subject:* Re: [Owasp-csrfguard] Error while using Owasp.CsrfGuard.jar
>
>         <init-param>
>           <param-name>referer-pattern</param-name>
>           <param-value>.*</param-value>
>         </init-param>
>
> Quick question on the referer-pattern value...
> This is used by the JavascriptServlet to do what?  The value you have here
> as an example is very encompassing, so I would like to understand it a bit
> better.
>
> Thanks,
>
> - Paul
>
> On Tue, Dec 11, 2012 at 10:50 AM, P Manchanda <manchandap at yahoo.com>wrote:
>
> Hi,
>
> Please check your web.xml for the entries related to JavascriptServlet.
> Probably you are missing a init parameter. The entries should look like
> this:
>
>  <servlet>
>       <servlet-name>JavaScriptServlet</servlet-name>
>
> <servlet-class>org.owasp.csrfguard.servlet.JavaScriptServlet</servlet-class>
>         <init-param>
>           <param-name>source-file</param-name>
>           <param-value>WEB-INF/Owasp.CsrfGuard.js</param-value>
>         </init-param>
>         <init-param>
>           <param-name>inject-into-forms</param-name>
>           <param-value>true</param-value>
>         </init-param>
>         <init-param>
>           <param-name>inject-into-attributes</param-name>
>           <param-value>true</param-value>
>         </init-param>
>         <init-param>
>           <param-name>domain-strict</param-name>
>           <param-value>true</param-value>
>         </init-param>
>         <init-param>
>           <param-name>referer-pattern</param-name>
>           <param-value>.*</param-value>
>         </init-param>
>         <init-param>
>           <param-name>x-requested-with</param-name>
>           <param-value>OWASP CSRFGuard Project</param-value>
>         </init-param>
>      </servlet>
>
> ___________________
> Thks & brgds
> P Manchanda
> Mobile: +91-9811210374 <http://geocities.com/manchandap/>
>
>   ------------------------------
> *From:* sravani chukka <sravs63 at gmail.com>
> *To:* owasp-csrfguard at lists.owasp.org
> *Sent:* Tuesday, 11 December 2012, 18:19
> *Subject:* [Owasp-csrfguard] Error while using Owasp.CsrfGuard.jar
>
> Hi,
>
> I have small problem using your jar and require some help using it. I was
> actually trying to deploy my EAR in jboss and when i host my weblauncher
> following exceptions are thrown showing these errors in
> Owasp.CsrfGuard.jar.Below is the error
>
> 15:11:16,407 *INFO* [stdout] (http-/0.0.0.0:8081-1) [Tue Dec 11 15:11:16
> IST 2012] [Info] CsrfGuard analyzing request /pf-weblauncher/loginRealm.jsp
>
> 15:11:16,498 *ERROR*[org.apache.catalina.core.ContainerBase.[jboss.web].[default-host].[/pf-system]]
> (http-/0.0.0.0:8081-2) StandardWrapper.Throwable:
> *java.lang.RuntimeException*: missing required parameter referer-pattern
> at org.owasp.csrfguard.servlet.JavaScriptServlet.getRequiredInitParameter(
> *JavaScriptServlet.java:206*) [Owasp.CsrfGuard.jar:]
> at org.owasp.csrfguard.servlet.JavaScriptServlet.init(
> *JavaScriptServlet.java:85*) [Owasp.CsrfGuard.jar:]
> at org.apache.catalina.core.StandardWrapper.loadServlet(
> *StandardWrapper.java:1202*) [jbossweb-7.0.16.Final-redhat-1.jar:]
> at org.apache.catalina.core.StandardWrapper.allocate(
> *StandardWrapper.java:952*) [jbossweb-7.0.16.Final-redhat-1.jar:]
> at org.apache.catalina.core.StandardWrapperValve.invoke(
> *StandardWrapperValve.java:188*) [jbossweb-7.0.16.Final-redhat-1.jar:]
> at org.apache.catalina.core.StandardContextValve.invoke(
> *StandardContextValve.java:161*) [jbossweb-7.0.16.Final-redhat-1.jar:]
> at org.apache.catalina.authenticator.AuthenticatorBase.invoke(
> *AuthenticatorBase.java:397*) [jbossweb-7.0.16.Final-redhat-1.jar:]
> at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(
> *SecurityContextAssociationValve.java:153*)
> [jboss-as-web-7.1.2.Final-redhat-1.jar:7.1.2.Final-redhat-1]
> at org.apache.catalina.core.StandardHostValve.invoke(
> *StandardHostValve.java:155*) [jbossweb-7.0.16.Final-redhat-1.jar:]
> at org.apache.catalina.valves.ErrorReportValve.invoke(
> *ErrorReportValve.java:102*) [jbossweb-7.0.16.Final-redhat-1.jar:]
> at org.apache.catalina.core.StandardEngineValve.invoke(
> *StandardEngineValve.java:109*) [jbossweb-7.0.16.Final-redhat-1.jar:]
> at org.apache.catalina.connector.CoyoteAdapter.service(
> *CoyoteAdapter.java:368*) [jbossweb-7.0.16.Final-redhat-1.jar:]
> at org.apache.coyote.http11.Http11Processor.process(
> *Http11Processor.java:877*) [jbossweb-7.0.16.Final-redhat-1.jar:]
> at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(
> *Http11Protocol.java:679*) [jbossweb-7.0.16.Final-redhat-1.jar:]
> at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(
> *JIoEndpoint.java:931*) [jbossweb-7.0.16.Final-redhat-1.jar:]
> at java.lang.Thread.run(Unknown Source) [rt.jar:1.7.0_04]
> 15:11:16,500* ERROR*[org.apache.catalina.core.ContainerBase.[jboss.web].[default-host].[/pf-system].[JavaScriptServlet]]
> (http-/0.0.0.0:8081-2) Allocate exception for servlet JavaScriptServlet:
> *java.lang.RuntimeException*: missing required parameter referer-pattern
> at org.owasp.csrfguard.servlet.JavaScriptServlet.getRequiredInitParameter(
> *JavaScriptServlet.java:206*) [Owasp.CsrfGuard.jar:]
> at org.owasp.csrfguard.servlet.JavaScriptServlet.init(
> *JavaScriptServlet.java:85*) [Owasp.CsrfGuard.jar:]
> at org.apache.catalina.core.StandardWrapper.loadServlet(
> *StandardWrapper.java:1202*) [jbossweb-7.0.16.Final-redhat-1.jar:]
> at org.apache.catalina.core.StandardWrapper.allocate(
> *StandardWrapper.java:952*) [jbossweb-7.0.16.Final-redhat-1.jar:]
> at org.apache.catalina.core.StandardWrapperValve.invoke(
> *StandardWrapperValve.java:188*) [jbossweb-7.0.16.Final-redhat-1.jar:]
> at org.apache.catalina.core.StandardContextValve.invoke(
> *StandardContextValve.java:161*) [jbossweb-7.0.16.Final-redhat-1.jar:]
> at org.apache.catalina.authenticator.AuthenticatorBase.invoke(
> *AuthenticatorBase.java:397*) [jbossweb-7.0.16.Final-redhat-1.jar:]
> at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(
> *SecurityContextAssociationValve.java:153*)
> [jboss-as-web-7.1.2.Final-redhat-1.jar:7.1.2.Final-redhat-1]
> at org.apache.catalina.core.StandardHostValve.invoke(
> *StandardHostValve.java:155*) [jbossweb-7.0.16.Final-redhat-1.jar:]
> at org.apache.catalina.valves.ErrorReportValve.invoke(
> *ErrorReportValve.java:102*) [jbossweb-7.0.16.Final-redhat-1.jar:]
> at org.apache.catalina.core.StandardEngineValve.invoke(
> *StandardEngineValve.java:109*) [jbossweb-7.0.16.Final-redhat-1.jar:]
> at org.apache.catalina.connector.CoyoteAdapter.service(
> *CoyoteAdapter.java:368*) [jbossweb-7.0.16.Final-redhat-1.jar:]
> at org.apache.coyote.http11.Http11Processor.process(
> *Http11Processor.java:877*) [jbossweb-7.0.16.Final-redhat-1.jar:]
> at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(
> *Http11Protocol.java:679*) [jbossweb-7.0.16.Final-redhat-1.jar:]
> at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(
> *JIoEndpoint.java:931*) [jbossweb-7.0.16.Final-redhat-1.jar:]
> at java.lang.Thread.run(Unknown Source) [rt.jar:1.7.0_04]
> 15:11:22,714 INFO [stdout] (http-/0.0.0.0:8081-1) [Tue Dec 11 15:11:22
> IST 2012] [Info] CsrfGuard analyzing request /pf-weblauncher/webLauncher.do
> 15:11:37,659 INFO [stdout] (http-/0.0.0.0:8081-1) [Tue Dec 11 15:11:37
> IST 2012] [Info] CsrfGuard analyzing request /pf-system/styles/styles.css
> 15:11:37,662 INFO [stdout] (http-/0.0.0.0:8081-4) [Tue Dec 11 15:11:37
> IST 2012] [Info] CsrfGuard analyzing request
> /pf-system/styles/button_style.css
> 15:11:37,707 INFO [stdout] (http-/0.0.0.0:8081-1) [Tue Dec 11 15:11:37
> IST 2012] [Info] CsrfGuard analyzing request /pf-weblauncher/webLauncher.do
>
>
>
> and the above INFO logs continue to be printed forever. Can you please
> suggest about the cause of the error  and required workaround ?
>
>
>
> Thanks,
> sravs
>
>
> _______________________________________________
> Owasp-csrfguard mailing list
> Owasp-csrfguard at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-csrfguard
>
>
>
> _______________________________________________
> Owasp-csrfguard mailing list
> Owasp-csrfguard at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-csrfguard
>
>
>
>
> --
> - Paul F. Volpe
> *OCMS Team Lead*
> paul.volpe at gsa.gov
> 703-605-2617 (w)
> 585-214-9862 (c)
>
>
>
>


-- 
- Paul F. Volpe
*OCMS Team Lead*
paul.volpe at gsa.gov
703-605-2617 (w)
585-214-9862 (c)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-csrfguard/attachments/20121212/93a8e952/attachment-0001.html>


More information about the Owasp-csrfguard mailing list