[Owasp-csrfguard] Please Suggest; Is disabling the Rotate feature correct? How to pass wild cards in unprotected page list?

Manish Sharma manish2aug at gmail.com
Tue Jan 31 21:44:19 UTC 2012


Hi,

I implemented OWASP CSRF Gurad with my application, I have some queries,
can you please answer the following.

1) I am disabling the Rotate feature so that the tokens wont be refreshed
in session. Is it correct and will it not add any vulnerability ?
2) As per the application we need to use the wild cards in our unprotected
pages list, so I made some changes to isUriMatched() method.
    I added the following piece of code in this method. Please verify and
if it is correct then can this piece of code can be added to the CSRF Api
in the
    coming version.

 e.g.
/mobile-server/xhtml/user/*/slogin.xhtml

The page slogin.xhtml can be called in either way, but behind the scene
same jsp is called.
Following two different calls will invoke the same jsp.

/s1mobile-server/xhtml/user/EP/slogin.xhtml
/s1mobile-server/xhtml/user/CID/slogin.xhtml

Where EP and CID are branding group code which will be decided by the
client.
To handle this I added the following code.
/*
      Case 0: Generic match using wild cards
      */
      if(testPath.contains("/*/"))
      {
         // Use of wild card to define a directory of any name
         int index = testPath.indexOf("/*/");
         String exactInitialTestPath = testPath.substring(0,index+1);
         String newTestPath = testPath.substring(index+2);
         if(index+1>requestPath.length())
         {
            return false;
         }
         String exactInitialRequestPath = requestPath.substring(0,index+1);
         /*
          * Condition: In case if directory name is valid.
          * Check of initial part matching.
          */
         if(!exactInitialTestPath.equals(exactInitialRequestPath))
         {
            return false;
         }

         String remainingRequestPath = requestPath.substring(index+1);

         /*
          * Allowing the case /*
          */
         if(remainingRequestPath.length()==1 &&
remainingRequestPath.equals("*"))
         {
            return true;
         }

         int dirIindex = remainingRequestPath.indexOf("/");
         /*
          * If no valid directory
          */
         if(dirIindex==-1)
         {
            return false;
         }
         String dirName = remainingRequestPath.substring(0,dirIindex);
         if(dirIindex>remainingRequestPath.length())
         {
            return false;
         }
         String newRequestPath = remainingRequestPath.substring(dirIindex);

         /*
          * Condition: Check for valid characters for a directory name
          */
         if(dirName.contains("/")
               ||dirName.contains(":")||dirName.contains("*")
               ||dirName.contains("?")||dirName.contains("\"")
               ||dirName.contains("<")||dirName.contains(">")
               ||dirName.contains("|")||dirName.contains("&")
               ||dirName.contains("\\"))
         {
            return false;
         }



         /*
          * Call this method again for checking the remaining part of the
request path.
          */
         return isUriMatch(newTestPath, newRequestPath);
      }



-------------------------
Thanks & Regards
Manish Kumar
| Mob: +27-742650187 |
manish2aug at gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-csrfguard/attachments/20120131/0382cf2a/attachment.html>


More information about the Owasp-csrfguard mailing list