[Owasp-csrfguard] How to exclude css anf jpeg file from csrf token?

Anton Fomin afomin at jaspersoft.com
Tue Jan 3 15:38:43 UTC 2012


Hi,

Looks like you need to set your resource uri to unprotected uri's list in
Csrf Guard configuration. Hope your resources and pages have different
uri's. In the other hand, you can play with Csrf filter uri pattern.

Thanks,
Anton.


2012/1/3 ashish kumar Gautam <gautamashishkumar at gmail.com>

>
> Dear All,
>
>
> I am able to config CSRF Guard in our project and project is working well.
>
> But Problem is that  CSRF Guard enforce to send a csrf token during call
> to the CSS file and JPEG file.
> How it is possible to exclude the ccs and jpeg file?
>
>
> *Console:-*
> [Tue Jan 03 14:24:13 IST 2012] [Info] CsrfGuard analyzing request
> /csrfguardfixed/
> [Tue Jan 03 14:24:13 IST 2012] [Info] CsrfGuard analyzing request
> /csrfguardfixed/index.jsp
> [Tue Jan 03 14:24:13 IST 2012] [Info] CsrfGuard analyzing request
> /csrfguardfixed/style.css
> [Tue Jan 03 14:24:13 IST 2012] [Info] CsrfGuard analyzing request
> /csrfguardfixed/images/quote_top.jpg
> [Tue Jan 03 14:24:13 IST 2012] [Info] CsrfGuard analyzing request
> /csrfguardfixed/images/body_bg.jpg
> [Tue Jan 03 14:24:13 IST 2012] [Info] CsrfGuard analyzing request
> /csrfguardfixed/images/header_selected.jpg
> [Tue Jan 03 14:24:13 IST 2012] [Info] CsrfGuard analyzing request
> /csrfguardfixed/images/logo.jpg
> [Tue Jan 03 14:24:13 IST 2012] [Info] CsrfGuard analyzing request
> /csrfguardfixed/images/quote_bottom.jpg
> [Tue Jan 03 14:24:13 IST 2012] [Error] potential cross-site request
> forgery (CSRF) attack thwarted (user:<anonymous>, ip:10.1.10.129,
> uri:/csrfguardfixed/images/body_bg.jpg, error:required token is missing
> from the request)
> [Tue Jan 03 14:24:13 IST 2012] [Error] potential cross-site request
> forgery (CSRF) attack thwarted (user:<anonymous>, ip:10.1.10.129,
> uri:/csrfguardfixed/images/quote_top.jpg, error:required token is missing
> from the request)
> [Tue Jan 03 14:24:13 IST 2012] [Error] potential cross-site request
> forgery (CSRF) attack thwarted (user:<anonymous>, ip:10.1.10.129,
> uri:/csrfguardfixed/images/quote_bottom.jpg, error:required token is
> missing from the request)
> [Tue Jan 03 14:24:13 IST 2012] [Error] potential cross-site request
> forgery (CSRF) attack thwarted (user:<anonymous>, ip:10.1.10.129,
> uri:/csrfguardfixed/images/header_selected.jpg, error:required token is
> missing from the request)
> [Tue Jan 03 14:24:13 IST 2012] [Error] potential cross-site request
> forgery (CSRF) attack thwarted (user:<anonymous>, ip:10.1.10.129,
> uri:/csrfguardfixed/images/logo.jpg, error:required token is missing from
> the request)
> [Tue Jan 03 14:24:13 IST 2012] [Info] CsrfGuard analyzing request
> /csrfguardfixed/error.jsp
>
>
>
> --
> Best regards,
> Ashish K. Gautam
> NIC, Delhi INDIA
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-csrfguard/attachments/20120103/474a4c1c/attachment.html>


More information about the Owasp-csrfguard mailing list