[Owasp-csrfguard] Error while using Owasp.CsrfGuard.jar

P Manchanda manchandap at yahoo.com
Thu Dec 13 03:37:59 UTC 2012


Thanks Paul

Can you provide a practical example for the value of the referrer pattern. The documnetation page gives the following value but doesn't backs it by an example:


<init-param> <param-name>referer-pattern</param-name> <param-value>.*localhost.*</param-value> </init-param>

The entry in the web.xml of the Owasp.CsrfGuard.Test project is:

<init-param>
<param-name>referer-pattern</param-name>
<param-value>http://localhost:8080.*</param-value>
</init-param>
 
___________________ 
Thks & brgds 
P Manchanda
Mobile: +91-9811210374 



________________________________
 From: Paul Volpe - QV0CD-C <paul.volpe at gsa.gov>
To: P Manchanda <manchandap at yahoo.com> 
Cc: sravani chukka <sravs63 at gmail.com>; "owasp-csrfguard at lists.owasp.org" <owasp-csrfguard at lists.owasp.org> 
Sent: Wednesday, 12 December 2012, 21:41
Subject: Re: [Owasp-csrfguard] Error while using Owasp.CsrfGuard.jar
 

Ok.  That helps and makes sense.  In other words, the pattern .* is not really a good idea -- instead, it should be mapped to some value used by your application to indicate JavaScript and AJAX calls.


On Wed, Dec 12, 2012 at 11:08 AM, P Manchanda <manchandap at yahoo.com> wrote:

Hi Paul,
>
>
>Not sure about your exact query but here is the details of the parameter from OWASP's page:
>
>
>https://www.owasp.org/index.php/CSRFGuard_3_Token_Injection
>
>
>Allows the developer to specify a regular expression describing the 
required value of the Referer header. Any attempts to access the servlet
 with a Referer header that does not match the captured expression is 
discarded. Inclusion of referer header checking is to help minimize the 
risk of JavaScript Hijacking attacks that attempt to steal tokens from 
the dynamically generated JavaScript. While the primary defenses against
 JavaScript Hijacking attacks are implemented within the dynamic 
JavaScript itself, referer header checking is implemented to achieve 
defense in depth. 
>
>
>
>
>
> 
>___________________ 
>Thks & brgds 
>P Manchanda
>Mobile: +91-9811210374 
>
>
>
>
>________________________________
> From: Paul Volpe - QV0CD-C <paul.volpe at gsa.gov>
>To: P Manchanda <manchandap at yahoo.com> 
>Cc: sravani chukka <sravs63 at gmail.com>; "owasp-csrfguard at lists.owasp.org" <owasp-csrfguard at lists.owasp.org> 
>Sent: Wednesday, 12 December 2012, 21:23
>Subject: Re: [Owasp-csrfguard] Error while using Owasp.CsrfGuard.jar
> 
>
>
>        <init-param>
>          <param-name>referer-pattern</param-name>
>          <param-value>.*</param-value>
>        </init-param>
>
>Quick question on the referer-pattern value...
>This is used by the JavascriptServlet to do what?  The value you have here as an example is very encompassing, so I would like to understand it a bit better.
>
>
>Thanks,
>
>
>- Paul
>
>
>On Tue, Dec 11, 2012 at 10:50 AM, P Manchanda <manchandap at yahoo.com> wrote:
>
>Hi,
>>
>>
>>Please check your web.xml for the entries related to JavascriptServlet. Probably you are missing a init parameter. The entries should look like this:
>>
>>
>> <servlet>
>>      <servlet-name>JavaScriptServlet</servlet-name>
>>      <servlet-class>org.owasp.csrfguard.servlet.JavaScriptServlet</servlet-class>
>>        <init-param>
>>          <param-name>source-file</param-name>
>>          <param-value>WEB-INF/Owasp.CsrfGuard.js</param-value>
>>        </init-param>
>>        <init-param>
>>          <param-name>inject-into-forms</param-name>
>>         
 <param-value>true</param-value>
>>        </init-param>
>>        <init-param>
>>          <param-name>inject-into-attributes</param-name>
>>          <param-value>true</param-value>
>>        </init-param>
>>        <init-param>
>>          <param-name>domain-strict</param-name>
>>          <param-value>true</param-value>
>>        </init-param>
>>        <init-param>
>>         
 <param-name>referer-pattern</param-name>
>>          <param-value>.*</param-value>
>>        </init-param>
>>        <init-param>
>>          <param-name>x-requested-with</param-name>
>>          <param-value>OWASP CSRFGuard Project</param-value>
>>        </init-param>
>>     </servlet>
>> 
>>___________________ 
>>Thks & brgds 
>>P Manchanda
>>Mobile: +91-9811210374 
>>
>>
>>
>>
>>________________________________
>> From: sravani chukka <sravs63 at gmail.com>
>>To: owasp-csrfguard at lists.owasp.org 
>>Sent: Tuesday, 11 December 2012, 18:19
>>Subject: [Owasp-csrfguard] Error while using Owasp.CsrfGuard.jar
>> 
>>
>>
>>Hi,
>> 
>>I have small problem using your jar and require some help using it. I was actually trying to deploy my EAR in jboss and when i host my weblauncher following exceptions are thrown showing these errors in 
>>Owasp.CsrfGuard.jar.Below is the error 
>> 15:11:16,407 INFO [stdout] (http-/0.0.0.0:8081-1) [Tue Dec 11 15:11:16 IST 2012] [Info] CsrfGuard analyzing request /pf-weblauncher/loginRealm.jsp
>> 
>>15:11:16,498 ERROR [org.apache.catalina.core.ContainerBase.[jboss.web].[default-host].[/pf-system]] (http-/0.0.0.0:8081-2) StandardWrapper.Throwable: java.lang.RuntimeException: missing required parameter referer-pattern 
>>at org.owasp.csrfguard.servlet.JavaScriptServlet.getRequiredInitParameter(JavaScriptServlet.java:206) [Owasp.CsrfGuard.jar:] 
>>at org.owasp.csrfguard.servlet.JavaScriptServlet.init(JavaScriptServlet.java:85) [Owasp.CsrfGuard.jar:] 
>>at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1202) [jbossweb-7.0.16.Final-redhat-1.jar:] 
>>at org.apache.catalina.core.StandardWrapper.allocate(StandardWrapper.java:952) [jbossweb-7.0.16.Final-redhat-1.jar:] 
>>at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:188) [jbossweb-7.0.16.Final-redhat-1.jar:] 
>>at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:161) [jbossweb-7.0.16.Final-redhat-1.jar:] 
>>at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:397) [jbossweb-7.0.16.Final-redhat-1.jar:] 
>>at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:153) [jboss-as-web-7.1.2.Final-redhat-1.jar:7.1.2.Final-redhat-1] 
>>at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155) [jbossweb-7.0.16.Final-redhat-1.jar:] 
>>at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [jbossweb-7.0.16.Final-redhat-1.jar:] 
>>at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [jbossweb-7.0.16.Final-redhat-1.jar:] 
>>at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368) [jbossweb-7.0.16.Final-redhat-1.jar:] 
>>at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877) [jbossweb-7.0.16.Final-redhat-1.jar:] 
>>at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:679) [jbossweb-7.0.16.Final-redhat-1.jar:] 
>>at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:931) [jbossweb-7.0.16.Final-redhat-1.jar:] 
>>at java.lang.Thread.run(Unknown Source) [rt.jar:1.7.0_04]
>>15:11:16,500ERROR [org.apache.catalina.core.ContainerBase.[jboss.web].[default-host].[/pf-system].[JavaScriptServlet]] (http-/0.0.0.0:8081-2) Allocate exception for servlet JavaScriptServlet: java.lang.RuntimeException: missing required parameter referer-pattern 
>>at org.owasp.csrfguard.servlet.JavaScriptServlet.getRequiredInitParameter(JavaScriptServlet.java:206) [Owasp.CsrfGuard.jar:] 
>>at org.owasp.csrfguard.servlet.JavaScriptServlet.init(JavaScriptServlet.java:85) [Owasp.CsrfGuard.jar:] 
>>at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1202) [jbossweb-7.0.16.Final-redhat-1.jar:] 
>>at org.apache.catalina.core.StandardWrapper.allocate(StandardWrapper.java:952) [jbossweb-7.0.16.Final-redhat-1.jar:] 
>>at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:188) [jbossweb-7.0.16.Final-redhat-1.jar:] 
>>at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:161) [jbossweb-7.0.16.Final-redhat-1.jar:] 
>>at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:397) [jbossweb-7.0.16.Final-redhat-1.jar:] 
>>at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:153) [jboss-as-web-7.1.2.Final-redhat-1.jar:7.1.2.Final-redhat-1] 
>>at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155) [jbossweb-7.0.16.Final-redhat-1.jar:] 
>>at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [jbossweb-7.0.16.Final-redhat-1.jar:] 
>>at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [jbossweb-7.0.16.Final-redhat-1.jar:] 
>>at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368) [jbossweb-7.0.16.Final-redhat-1.jar:] 
>>at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877) [jbossweb-7.0.16.Final-redhat-1.jar:] 
>>at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:679) [jbossweb-7.0.16.Final-redhat-1.jar:] 
>>at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:931) [jbossweb-7.0.16.Final-redhat-1.jar:] 
>>at java.lang.Thread.run(Unknown Source) [rt.jar:1.7.0_04]
>>15:11:22,714 INFO [stdout] (http-/0.0.0.0:8081-1) [Tue Dec 11 15:11:22 IST 2012] [Info] CsrfGuard analyzing request /pf-weblauncher/webLauncher.do
>>15:11:37,659 INFO [stdout] (http-/0.0.0.0:8081-1) [Tue Dec 11 15:11:37 IST 2012] [Info] CsrfGuard analyzing request /pf-system/styles/styles.css
>>15:11:37,662 INFO [stdout] (http-/0.0.0.0:8081-4) [Tue Dec 11 15:11:37 IST 2012] [Info] CsrfGuard analyzing request /pf-system/styles/button_style.css
>>15:11:37,707 INFO [stdout] (http-/0.0.0.0:8081-1) [Tue Dec 11 15:11:37 IST 2012] [Info] CsrfGuard analyzing request /pf-weblauncher/webLauncher.do
>> 
>> 
>> 
>>and the above INFO logs continue to be printed forever. Can you please suggest about the cause of the error  and required workaround ?
>> 
>> 
>> 
>>Thanks,
>>sravs
>>
>>_______________________________________________
>>Owasp-csrfguard mailing list
>>Owasp-csrfguard at lists.owasp.org
>>https://lists.owasp.org/mailman/listinfo/owasp-csrfguard
>>
>>
>>
>>_______________________________________________
>>Owasp-csrfguard mailing list
>>Owasp-csrfguard at lists.owasp.org
>>https://lists.owasp.org/mailman/listinfo/owasp-csrfguard
>>
>>
>
>
>
>-- 
>
>- Paul F. Volpe
>OCMS Team Lead
>paul.volpe at gsa.gov
>703-605-2617 (w)
>585-214-9862 (c)
>
>
>


-- 

- Paul F. Volpe
OCMS Team Lead
paul.volpe at gsa.gov
703-605-2617 (w)
585-214-9862 (c)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-csrfguard/attachments/20121212/cb51ac8b/attachment-0001.html>


More information about the Owasp-csrfguard mailing list