[Owasp-csrfguard] Error while using Owasp.CsrfGuard.jar

P Manchanda manchandap at yahoo.com
Wed Dec 12 16:08:40 UTC 2012 

Hi Paul,

Not sure about your exact query but here is the details of the parameter from OWASP's page:

https://www.owasp.org/index.php/CSRFGuard_3_Token_Injection


Allows the developer to specify a regular expression describing the 
required value of the Referer header. Any attempts to access the servlet
 with a Referer header that does not match the captured expression is 
discarded. Inclusion of referer header checking is to help minimize the 
risk of JavaScript Hijacking attacks that attempt to steal tokens from 
the dynamically generated JavaScript. While the primary defenses against
 JavaScript Hijacking attacks are implemented within the dynamic 
JavaScript itself, referer header checking is implemented to achieve 
defense in depth. 



 
___________________ 
Thks & brgds 
P Manchanda
Mobile: +91-9811210374 



________________________________
 From: Paul Volpe - QV0CD-C <paul.volpe at gsa.gov>
To: P Manchanda <manchandap at yahoo.com> 
Cc: sravani chukka <sravs63 at gmail.com>; "owasp-csrfguard at lists.owasp.org" <owasp-csrfguard at lists.owasp.org> 
Sent: Wednesday, 12 December 2012, 21:23
Subject: Re: [Owasp-csrfguard] Error while using Owasp.CsrfGuard.jar
 

        <init-param>
          <param-name>referer-pattern</param-name>
          <param-value>.*</param-value>
        </init-param>
Quick question on the referer-pattern value...
This is used by the JavascriptServlet to do what?  The value you have here as an example is very encompassing, so I would like to understand it a bit better.

Thanks,

- Paul


On Tue, Dec 11, 2012 at 10:50 AM, P Manchanda <manchandap at yahoo.com> wrote:

Hi,
>
>
>Please check your web.xml for the entries related to JavascriptServlet. Probably you are missing a init parameter. The entries should look like this:
>
>
> <servlet>
>      <servlet-name>JavaScriptServlet</servlet-name>
>      <servlet-class>org.owasp.csrfguard.servlet.JavaScriptServlet</servlet-class>
>        <init-param>
>          <param-name>source-file</param-name>
>          <param-value>WEB-INF/Owasp.CsrfGuard.js</param-value>
>        </init-param>
>        <init-param>
>          <param-name>inject-into-forms</param-name>
>         
 <param-value>true</param-value>
>        </init-param>
>        <init-param>
>          <param-name>inject-into-attributes</param-name>
>          <param-value>true</param-value>
>        </init-param>
>        <init-param>
>          <param-name>domain-strict</param-name>
>          <param-value>true</param-value>
>        </init-param>
>        <init-param>
>         
 <param-name>referer-pattern</param-name>
>          <param-value>.*</param-value>
>        </init-param>
>        <init-param>
>          <param-name>x-requested-with</param-name>
>          <param-value>OWASP CSRFGuard Project</param-value>
>        </init-param>
>     </servlet>
> 
>___________________ 
>Thks & brgds 
>P Manchanda
>Mobile: +91-9811210374 
>
>
>
>
>________________________________
> From: sravani chukka <sravs63 at gmail.com>
>To: owasp-csrfguard at lists.owasp.org 
>Sent: Tuesday, 11 December 2012, 18:19
>Subject: [Owasp-csrfguard] Error while using Owasp.CsrfGuard.jar
> 
>
>
>Hi,
> 
>I have small problem using your jar and require some help using it. I was actually trying to deploy my EAR in jboss and when i host my weblauncher following exceptions are thrown showing these errors in 
>Owasp.CsrfGuard.jar.Below is the error 
> 15:11:16,407 INFO [stdout] (http-/0.0.0.0:8081-1) [Tue Dec 11 15:11:16 IST 2012] [Info] CsrfGuard analyzing request /pf-weblauncher/loginRealm.jsp
> 
>15:11:16,498 ERROR [org.apache.catalina.core.ContainerBase.[jboss.web].[default-host].[/pf-system]] (http-/0.0.0.0:8081-2) StandardWrapper.Throwable: java.lang.RuntimeException: missing required parameter referer-pattern 
>at org.owasp.csrfguard.servlet.JavaScriptServlet.getRequiredInitParameter(JavaScriptServlet.java:206) [Owasp.CsrfGuard.jar:] 
>at org.owasp.csrfguard.servlet.JavaScriptServlet.init(JavaScriptServlet.java:85) [Owasp.CsrfGuard.jar:] 
>at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1202) [jbossweb-7.0.16.Final-redhat-1.jar:] 
>at org.apache.catalina.core.StandardWrapper.allocate(StandardWrapper.java:952) [jbossweb-7.0.16.Final-redhat-1.jar:] 
>at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:188) [jbossweb-7.0.16.Final-redhat-1.jar:] 
>at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:161) [jbossweb-7.0.16.Final-redhat-1.jar:] 
>at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:397) [jbossweb-7.0.16.Final-redhat-1.jar:] 
>at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:153) [jboss-as-web-7.1.2.Final-redhat-1.jar:7.1.2.Final-redhat-1] 
>at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155) [jbossweb-7.0.16.Final-redhat-1.jar:] 
>at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [jbossweb-7.0.16.Final-redhat-1.jar:] 
>at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [jbossweb-7.0.16.Final-redhat-1.jar:] 
>at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368) [jbossweb-7.0.16.Final-redhat-1.jar:] 
>at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877) [jbossweb-7.0.16.Final-redhat-1.jar:] 
>at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:679) [jbossweb-7.0.16.Final-redhat-1.jar:] 
>at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:931) [jbossweb-7.0.16.Final-redhat-1.jar:] 
>at java.lang.Thread.run(Unknown Source) [rt.jar:1.7.0_04]
>15:11:16,500ERROR [org.apache.catalina.core.ContainerBase.[jboss.web].[default-host].[/pf-system].[JavaScriptServlet]] (http-/0.0.0.0:8081-2) Allocate exception for servlet JavaScriptServlet: java.lang.RuntimeException: missing required parameter referer-pattern 
>at org.owasp.csrfguard.servlet.JavaScriptServlet.getRequiredInitParameter(JavaScriptServlet.java:206) [Owasp.CsrfGuard.jar:] 
>at org.owasp.csrfguard.servlet.JavaScriptServlet.init(JavaScriptServlet.java:85) [Owasp.CsrfGuard.jar:] 
>at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1202) [jbossweb-7.0.16.Final-redhat-1.jar:] 
>at org.apache.catalina.core.StandardWrapper.allocate(StandardWrapper.java:952) [jbossweb-7.0.16.Final-redhat-1.jar:] 
>at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:188) [jbossweb-7.0.16.Final-redhat-1.jar:] 
>at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:161) [jbossweb-7.0.16.Final-redhat-1.jar:] 
>at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:397) [jbossweb-7.0.16.Final-redhat-1.jar:] 
>at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:153) [jboss-as-web-7.1.2.Final-redhat-1.jar:7.1.2.Final-redhat-1] 
>at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155) [jbossweb-7.0.16.Final-redhat-1.jar:] 
>at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [jbossweb-7.0.16.Final-redhat-1.jar:] 
>at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [jbossweb-7.0.16.Final-redhat-1.jar:] 
>at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368) [jbossweb-7.0.16.Final-redhat-1.jar:] 
>at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877) [jbossweb-7.0.16.Final-redhat-1.jar:] 
>at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:679) [jbossweb-7.0.16.Final-redhat-1.jar:] 
>at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:931) [jbossweb-7.0.16.Final-redhat-1.jar:] 
>at java.lang.Thread.run(Unknown Source) [rt.jar:1.7.0_04]
>15:11:22,714 INFO [stdout] (http-/0.0.0.0:8081-1) [Tue Dec 11 15:11:22 IST 2012] [Info] CsrfGuard analyzing request /pf-weblauncher/webLauncher.do
>15:11:37,659 INFO [stdout] (http-/0.0.0.0:8081-1) [Tue Dec 11 15:11:37 IST 2012] [Info] CsrfGuard analyzing request /pf-system/styles/styles.css
>15:11:37,662 INFO [stdout] (http-/0.0.0.0:8081-4) [Tue Dec 11 15:11:37 IST 2012] [Info] CsrfGuard analyzing request /pf-system/styles/button_style.css
>15:11:37,707 INFO [stdout] (http-/0.0.0.0:8081-1) [Tue Dec 11 15:11:37 IST 2012] [Info] CsrfGuard analyzing request /pf-weblauncher/webLauncher.do
> 
> 
> 
>and the above INFO logs continue to be printed forever. Can you please suggest about the cause of the error  and required workaround ?
> 
> 
> 
>Thanks,
>sravs
>
>_______________________________________________
>Owasp-csrfguard mailing list
>Owasp-csrfguard at lists.owasp.org
>https://lists.owasp.org/mailman/listinfo/owasp-csrfguard
>
>
>
>_______________________________________________
>Owasp-csrfguard mailing list
>Owasp-csrfguard at lists.owasp.org
>https://lists.owasp.org/mailman/listinfo/owasp-csrfguard
>
>


-- 

- Paul F. Volpe
OCMS Team Lead
paul.volpe at gsa.gov
703-605-2617 (w)
585-214-9862 (c)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-csrfguard/attachments/20121212/5af47223/attachment-0001.html>

More information about the Owasp-csrfguard mailing list