[Owasp-csrfguard] JavascriptServlet & owasp.csrfguard.js file. Browser specific issues

Daniel Fiore d_fiore at hotmail.com
Tue Jan 17 17:05:49 UTC 2012



Hello, I was having problems with the the dynamic DOM manipulation solution within certain browsers and I modified the javascript file to fix certain issues.

I propose that these changes are investigated if they are indeed useless:

In Firefox:

Issue: DOM flickering problem where all the text in the page is displayed for a very brief moment without any formatting.

Solution: I hide the body of the document before the token is injected into each tag and then redisplay it once all the tags are modified with the setTImeOut javascript function:

Code: 
function injectTokens(tokenName, tokenValue) {
        
        document.body.style.display ='none';
...

addEvent(window,'load', function() {
            injectTokens("%TOKEN_NAME%", "%TOKEN_VALUE%");
                });
addEvent(window,'load', function() {
            setTimeout("document.body.style.display ='block'", 200);
        }); 
...

In IE:

Issue: When accessing a page that contained the JavascriptServlet <script> tag, the form within the page was being resubmitted to the server after the page was already displayed. I am not certain but I believe that if you dynamically modify the action attribute of a <form> tag (or the src attribute of an <img> tag) the page is resubmitted only in IE. This was causing the token to be updated to a new value (if org.owasp.csrfguard.Rotate=true) different from the token contained in the links of the page that is already displayed. If you selected a link to a protected page from the displayed page that contained the  JavascriptServlet <script> tag, this would lead to an CSRF attack detection.

Solution: I ignored certain tags in the token injection function and also removed injecting a token attribute in the action attribute of a <form> tag. This will only work if images, scripts and css links are unprotected:

Code:
function injectTokens(tokenName, tokenValue) {
...

if(      element.tagName.toLowerCase() != "script" 
   && element.tagName.toLowerCase() != "img"
   && element.tagName.toLowerCase() != "image"
   && element.tagName.toLowerCase() != "link")
{
      /** inject into form **/
      if(element.tagName.toLowerCase() == "form") {
       if(%INJECT_FORMS% == true) {
                        injectTokenForm(element, tokenName, tokenValue, pageTokens); // this should be enough for a form
                        // injectTokenAttribute(element, "action", tokenName, tokenValue, pageTokens);
 ...
}

I hope this can help certain users that have come across the same issues.

Daniel Fiore.
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-csrfguard/attachments/20120117/2d56f00a/attachment.html>


More information about the Owasp-csrfguard mailing list