[Owasp-csrfguard] Double Refresh for every request

Mehdi Bennani mehdibennani at hotmail.com
Thu May 17 15:31:37 UTC 2012


Hi You guys,

I  have just set up CSRF guard to work with my strut2-spring  project. I have 2 issues:

1- For every request, all my resources are requested twice. I.e: all the css, images, etc...are requested twice, once without the OWASP token and once with the token.
In fact, a quick inspection through firebug reveals the following timeline:
- A bunch of GETs are issues (my resources) (without the OWASP token)
  Among them, a GET to OWASP JavaScriptServlet
- Then at some point, a POST to JavaScriptServlet is sent out
- Then a slew of Gets (the same ones as before, i.e: my resources) this time with the ?OWASP_CSRFTOKEN=... appended to each GET

Is this how is it supposed to be working?? I must have configured something wrong....
I mean even I would like to disregard the performance loss related to the double requests, my site is loads funny now, as it loads without the CSS/JS at first (so looks pretty much ugly), then a split of a second later, the site is refreshed and everything is there. It is slow enough that we can notice it.

2- When I login, it fails with a 403. I checked my form submission and it does not seem to contain the OWASP_CSRTOKEN. Hence the 403...

Any help is appreciated,

Here is my config:

org.owasp.csrfguard.Logger=org.owasp.csrfguard.log.ConsoleLogger
org.owasp.csrfguard.TokenPerPage=true
org.owasp.csrfguard.Ajax=true

org.owasp.csrfguard.unprotected.DefaultHome=/localhost/home
org.owasp.csrfguard.unprotected.403=/localhost/403.jsp
org.owasp.csrfguard.unprotected.404=/localhost/404.jsp

org.owasp.csrfguard.action.Log=org.owasp.csrfguard.action.Log
org.owasp.csrfguard.action.Log.Message=potential cross-site request forgery (CSRF) attack thwarted (user:%user%, ip:%remote_ip%, uri:%request_uri%, error:%exception_message%)
org.owasp.csrfguard.action.Redirect=org.owasp.csrfguard.action.Redirect
org.owasp.csrfguard.action.Redirect.Page=/localhost/403.jsp
org.owasp.csrfguard.action.Rotate=org.owasp.csrfguard.action.Rotate

org.owasp.csrfguard.TokenName=OWASP_CSRFTOKEN
org.owasp.csrfguard.SessionKey=OWASP_CSRFTOKEN
org.owasp.csrfguard.TokenLength=32
org.owasp.csrfguard.PRNG=SHA1PRNG

And JavaScriptServlet

   <servlet>
       <servlet-name>JavaScriptServlet</servlet-name>
       <servlet-class>org.owasp.csrfguard.servlet.JavaScriptServlet</servlet-class>
         <init-param>
            <param-name>source-file</param-name>
            <param-value>WEB-INF/Owasp.CsrfGuard.js</param-value>
         </init-param>
         <init-param>
            <param-name>inject-into-forms</param-name>
            <param-value>true</param-value>
         </init-param>
         <init-param>
            <param-name>inject-into-attributes</param-name>
            <param-value>true</param-value>
         </init-param>
         <init-param>
            <param-name>domain-strict</param-name>
            <param-value>false</param-value>
         </init-param>
         <init-param>
            <param-name>referer-pattern</param-name>
            <param-value>.*localhost.*</param-value>
         </init-param>
    </servlet>
    <servlet-mapping>
           <servlet-name>JavaScriptServlet</servlet-name>
           <url-pattern>/JavaScriptServlet</url-pattern>
    </servlet-mapping>

Elextra/ 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-csrfguard/attachments/20120517/5ffa2440/attachment.html>


More information about the Owasp-csrfguard mailing list