[Owasp-csrfguard] IllegalStateExceptions caused by using the Invalidate action

Mon May 7 16:25:31 UTC 2012

Whenever I try to use the Invalidate Actions, I get an IllegalStateException if I try to modify the anti-CSRF token value to simulate an attack.  It seems that something that is being called by the filter after the execute() method on the actions completes session is still valid.  Is this a bug, or am I not using the invalidate action correctly?

Here is my configuration for using the Invalidate action:

##################################
Begin Owasp.CsrfGuard.properties
##################################

org.owasp.csrfguard.Logger=org.owasp.csrfguard.log.ConsoleLogger

org.owasp.csrfguard.NewTokenLandingPage=/hello-web/index.html

org.owasp.csrfguard.TokenPerPage=true

org.owasp.csrfguard.Rotate=false

org.owasp.csrfguard.Ajax=true

org.owasp.csrfguard.unprotected.css=*.css
org.owasp.csrfguard.unprotected.jpg=*.jpg
org.owasp.csrfguard.unprotected.gif=*.gif
org.owasp.csrfguard.unprotected.png=*.png
org.owasp.csrfguard.unprotected.js=*.js
org.owasp.csrfguard.unprotected.index=/hello-web/index.html
org.owasp.csrfguard.unprotected.default=/hello-web/
org.owasp.csrfguard.unprotected.javascriptServlet=/hello-web/JavaScriptServlet

org.owasp.csrfguard.action.Log=org.owasp.csrfguard.action.Log
org.owasp.csrfguard.action.Log.Message=potential cross-site request forgery (CSRF) attack thwarted (host:%remote_host%, ip:%remote_ip%, uri:%request_uri%, error:%exception_message%)
org.owasp.csrfguard.action.Invalidate=org.owasp.csrfguard.action.Invalidate

org.owasp.csrfguard.TokenName=OWASP_CSRFTOKEN

org.owasp.csrfguard.SessionKey=OWASP_CSRFTOKEN

org.owasp.csrfguard.TokenLength=32

org.owasp.csrfguard.PRNG=SHA1PRNG

##################################
End Owasp.CsrfGuard.properties
##################################

If I attempt to hit the webapp and modify the anti-CSRF token, I get the following stacktrace:

java.lang.IllegalStateException: setAttribute: Session already invalidated
        at org.apache.catalina.session.StandardSession.setAttribute(StandardSession.java:1289)
        at org.apache.catalina.session.StandardSession.setAttribute(StandardSession.java:1254)
        at org.apache.catalina.session.StandardSessionFacade.setAttribute(StandardSessionFacade.java:130)
        at org.owasp.csrfguard.CsrfGuard.isValidRequest(CsrfGuard.java:316)
        at org.owasp.csrfguard.CsrfGuardFilter.doFilter(CsrfGuardFilter.java:57)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
        at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230)
        at org.apache.catalina.core.StandardContextValve.__invoke(StandardContextValve.java:175)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java)
        at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:182)
        at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
        at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:262)
        at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
        at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
        at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:446)
        at java.lang.Thread.run(Thread.java:595)

Nick Athie
FSA | AO | SAIC
(816) 823-2889

This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately.