[Owasp-csrfguard] Error while using Owasp.CsrfGuard.jar
P Manchanda
manchandap at yahoo.com
Wed Dec 12 16:08:40 UTC 2012
Hi Paul,
Not sure about your exact query but here is the details of the parameter from OWASP's page:
https://www.owasp.org/index.php/CSRFGuard_3_Token_Injection
Allows the developer to specify a regular expression describing the
required value of the Referer header. Any attempts to access the servlet
with a Referer header that does not match the captured expression is
discarded. Inclusion of referer header checking is to help minimize the
risk of JavaScript Hijacking attacks that attempt to steal tokens from
the dynamically generated JavaScript. While the primary defenses against
JavaScript Hijacking attacks are implemented within the dynamic
JavaScript itself, referer header checking is implemented to achieve
defense in depth.
___________________
Thks & brgds
P Manchanda
Mobile: +91-9811210374
________________________________
From: Paul Volpe - QV0CD-C <paul.volpe at gsa.gov>
To: P Manchanda <manchandap at yahoo.com>
Cc: sravani chukka <sravs63 at gmail.com>; "owasp-csrfguard at lists.owasp.org" <owasp-csrfguard at lists.owasp.org>
Sent: Wednesday, 12 December 2012, 21:23
Subject: Re: [Owasp-csrfguard] Error while using Owasp.CsrfGuard.jar
<init-param>
<param-name>referer-pattern</param-name>
<param-value>.*</param-value>
</init-param>
Quick question on the referer-pattern value...
This is used by the JavascriptServlet to do what? The value you have here as an example is very encompassing, so I would like to understand it a bit better.
Thanks,
- Paul
On Tue, Dec 11, 2012 at 10:50 AM, P Manchanda <manchandap at yahoo.com> wrote:
Hi,
>
>
>Please check your web.xml for the entries related to JavascriptServlet. Probably you are missing a init parameter. The entries should look like this:
>
>
> <servlet>
> <servlet-name>JavaScriptServlet</servlet-name>
> <servlet-class>org.owasp.csrfguard.servlet.JavaScriptServlet</servlet-class>
> <init-param>
> <param-name>source-file</param-name>
> <param-value>WEB-INF/Owasp.CsrfGuard.js</param-value>
> </init-param>
> <init-param>
> <param-name>inject-into-forms</param-name>
>
<param-value>true</param-value>
> </init-param>
> <init-param>
> <param-name>inject-into-attributes</param-name>
> <param-value>true</param-value>
> </init-param>
> <init-param>
> <param-name>domain-strict</param-name>
> <param-value>true</param-value>
> </init-param>
> <init-param>
>
<param-name>referer-pattern</param-name>
> <param-value>.*</param-value>
> </init-param>
> <init-param>
> <param-name>x-requested-with</param-name>
> <param-value>OWASP CSRFGuard Project</param-value>
> </init-param>
> </servlet>
>
>___________________
>Thks & brgds
>P Manchanda
>Mobile: +91-9811210374
>
>
>
>
>________________________________
> From: sravani chukka <sravs63 at gmail.com>
>To: owasp-csrfguard at lists.owasp.org
>Sent: Tuesday, 11 December 2012, 18:19
>Subject: [Owasp-csrfguard] Error while using Owasp.CsrfGuard.jar
>
>
>
>Hi,
>
>I have small problem using your jar and require some help using it. I was actually trying to deploy my EAR in jboss and when i host my weblauncher following exceptions are thrown showing these errors in
>Owasp.CsrfGuard.jar.Below is the error
> 15:11:16,407 INFO [stdout] (http-/0.0.0.0:8081-1) [Tue Dec 11 15:11:16 IST 2012] [Info] CsrfGuard analyzing request /pf-weblauncher/loginRealm.jsp
>
>15:11:16,498 ERROR [org.apache.catalina.core.ContainerBase.[jboss.web].[default-host].[/pf-system]] (http-/0.0.0.0:8081-2) StandardWrapper.Throwable: java.lang.RuntimeException: missing required parameter referer-pattern
>at org.owasp.csrfguard.servlet.JavaScriptServlet.getRequiredInitParameter(JavaScriptServlet.java:206) [Owasp.CsrfGuard.jar:]
>at org.owasp.csrfguard.servlet.JavaScriptServlet.init(JavaScriptServlet.java:85) [Owasp.CsrfGuard.jar:]
>at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1202) [jbossweb-7.0.16.Final-redhat-1.jar:]
>at org.apache.catalina.core.StandardWrapper.allocate(StandardWrapper.java:952) [jbossweb-7.0.16.Final-redhat-1.jar:]
>at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:188) [jbossweb-7.0.16.Final-redhat-1.jar:]
>at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:161) [jbossweb-7.0.16.Final-redhat-1.jar:]
>at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:397) [jbossweb-7.0.16.Final-redhat-1.jar:]
>at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:153) [jboss-as-web-7.1.2.Final-redhat-1.jar:7.1.2.Final-redhat-1]
>at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155) [jbossweb-7.0.16.Final-redhat-1.jar:]
>at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [jbossweb-7.0.16.Final-redhat-1.jar:]
>at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [jbossweb-7.0.16.Final-redhat-1.jar:]
>at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368) [jbossweb-7.0.16.Final-redhat-1.jar:]
>at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877) [jbossweb-7.0.16.Final-redhat-1.jar:]
>at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:679) [jbossweb-7.0.16.Final-redhat-1.jar:]
>at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:931) [jbossweb-7.0.16.Final-redhat-1.jar:]
>at java.lang.Thread.run(Unknown Source) [rt.jar:1.7.0_04]
>15:11:16,500ERROR [org.apache.catalina.core.ContainerBase.[jboss.web].[default-host].[/pf-system].[JavaScriptServlet]] (http-/0.0.0.0:8081-2) Allocate exception for servlet JavaScriptServlet: java.lang.RuntimeException: missing required parameter referer-pattern
>at org.owasp.csrfguard.servlet.JavaScriptServlet.getRequiredInitParameter(JavaScriptServlet.java:206) [Owasp.CsrfGuard.jar:]
>at org.owasp.csrfguard.servlet.JavaScriptServlet.init(JavaScriptServlet.java:85) [Owasp.CsrfGuard.jar:]
>at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1202) [jbossweb-7.0.16.Final-redhat-1.jar:]
>at org.apache.catalina.core.StandardWrapper.allocate(StandardWrapper.java:952) [jbossweb-7.0.16.Final-redhat-1.jar:]
>at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:188) [jbossweb-7.0.16.Final-redhat-1.jar:]
>at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:161) [jbossweb-7.0.16.Final-redhat-1.jar:]
>at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:397) [jbossweb-7.0.16.Final-redhat-1.jar:]
>at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:153) [jboss-as-web-7.1.2.Final-redhat-1.jar:7.1.2.Final-redhat-1]
>at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155) [jbossweb-7.0.16.Final-redhat-1.jar:]
>at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [jbossweb-7.0.16.Final-redhat-1.jar:]
>at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [jbossweb-7.0.16.Final-redhat-1.jar:]
>at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368) [jbossweb-7.0.16.Final-redhat-1.jar:]
>at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877) [jbossweb-7.0.16.Final-redhat-1.jar:]
>at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:679) [jbossweb-7.0.16.Final-redhat-1.jar:]
>at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:931) [jbossweb-7.0.16.Final-redhat-1.jar:]
>at java.lang.Thread.run(Unknown Source) [rt.jar:1.7.0_04]
>15:11:22,714 INFO [stdout] (http-/0.0.0.0:8081-1) [Tue Dec 11 15:11:22 IST 2012] [Info] CsrfGuard analyzing request /pf-weblauncher/webLauncher.do
>15:11:37,659 INFO [stdout] (http-/0.0.0.0:8081-1) [Tue Dec 11 15:11:37 IST 2012] [Info] CsrfGuard analyzing request /pf-system/styles/styles.css
>15:11:37,662 INFO [stdout] (http-/0.0.0.0:8081-4) [Tue Dec 11 15:11:37 IST 2012] [Info] CsrfGuard analyzing request /pf-system/styles/button_style.css
>15:11:37,707 INFO [stdout] (http-/0.0.0.0:8081-1) [Tue Dec 11 15:11:37 IST 2012] [Info] CsrfGuard analyzing request /pf-weblauncher/webLauncher.do
>
>
>
>and the above INFO logs continue to be printed forever. Can you please suggest about the cause of the error and required workaround ?
>
>
>
>Thanks,
>sravs
>
>_______________________________________________
>Owasp-csrfguard mailing list
>Owasp-csrfguard at lists.owasp.org
>https://lists.owasp.org/mailman/listinfo/owasp-csrfguard
>
>
>
>_______________________________________________
>Owasp-csrfguard mailing list
>Owasp-csrfguard at lists.owasp.org
>https://lists.owasp.org/mailman/listinfo/owasp-csrfguard
>
>
--
- Paul F. Volpe
OCMS Team Lead
paul.volpe at gsa.gov
703-605-2617 (w)
585-214-9862 (c)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-csrfguard/attachments/20121212/5af47223/attachment-0001.html>
More information about the Owasp-csrfguard
mailing list