[Owasp-csrfguard] Issue with IE8

Unmesh Desale Unmesh_Desale at symantec.com
Tue Aug 6 13:11:56 UTC 2013


Thanks P Manchanda….

I tried it but was not working for me.

Below Rajesh’s solution was working now after clearing cache and closing dev tools plug-in from IE. Now, I am able to see CSRF token in IE8.

Other problem is whenever AJAX request goes to the server, it doesn’t contain CSRF token and request validation fails.  Do I need change any javascript to support AJAX requests?

Currently, CSRF Guard properties file is have below property set.
org.owasp.csrfguard.Ajax=true



Thanks,
Unmesh Desale
________________________________

Office: +91 20 40754 4823  Mobile: +91 9657725432
unmesh_desale at symantec.com
________________________________


From: P Manchanda [mailto:manchandap at yahoo.com]
Sent: Tuesday, August 06, 2013 4:27 PM
To: Unmesh Desale; Tom Barber
Cc: owasp-csrfguard at lists.owasp.org
Subject: Re: [Owasp-csrfguard] Issue with IE8

can you try with the following servlet init parameter:

          <param-name>referer-pattern</param-name>
          <param-value>.*</param-value>


___________________
Thks & brgds
P Manchanda
Mobile: +91-9811210374

________________________________
From: Unmesh Desale <Unmesh_Desale at symantec.com>
To: Tom Barber <tom.a.barber at gmail.com>
Cc: "owasp-csrfguard at lists.owasp.org" <owasp-csrfguard at lists.owasp.org>
Sent: Tuesday, 6 August 2013, 14:13
Subject: Re: [Owasp-csrfguard] Issue with IE8

Yes it is the injection of tokens into links etc… not getting any error for ajax request. I am not able to see any CSRF token in IE8.

Thanks,
Unmesh Desale
________________________________

Office: +91 20 40754 4823  Mobile: +91 9657725432
unmesh_desale at symantec.com
________________________________


From: Tom Barber [mailto:tom.a.barber at gmail.com]
Sent: Tuesday, August 06, 2013 1:57 PM
To: Unmesh Desale
Cc: owasp-csrfguard at lists.owasp.org; Rajesh Punjabi
Subject: Re: [Owasp-csrfguard] Issue with IE8

Is it the injection of tokens into links etc or ajax requests that is failing? I found that xmlhttprequest injection doesn't work in <ie9
On Aug 6, 2013 6:34 AM, "Unmesh Desale" <Unmesh_Desale at symantec.com<mailto:Unmesh_Desale at symantec.com>> wrote:
Hi Rajesh,

Tried the below solution but it is still not able to inject the token. Whenever I am placing one alert message in that function then I am able to see CRSF token in resulting html (IE8).

element.setAttribute(attr, location);
alert('token injected:' + value);

Below are my settings for servelet in web.xml;

<servlet>
            <servlet-name>JavaScriptServlet</servlet-name>
            <servlet-class>org.owasp.csrfguard.servlet.JavaScriptServlet</servlet-class>
            <init-param>
                  <param-name>source-file</param-name>
                  <param-value>WEB-INF/Owasp.CsrfGuard.js</param-value>
            </init-param>
            <init-param>
                  <param-name>inject-into-forms</param-name>
                  <param-value>true</param-value>
            </init-param>
            <init-param>
                  <param-name>inject-into-attributes</param-name>
                  <param-value>true</param-value>
            </init-param>
            <init-param>
                  <param-name>domain-strict</param-name>
                  <param-value>true</param-value>
            </init-param>
            <init-param>
                  <param-name>referer-pattern</param-name>
                  <param-value>.*localhost:8080.*</param-value>
            </init-param>
</servlet>

Below are settings for CSRF Guard Properties:


org.owasp.csrfguard.Logger=org.owasp.csrfguard.log.ConsoleLogger

org.owasp.csrfguard.TokenPerPage=true
org.owasp.csrfguard.TokenPerPagePrecreate=false

org.owasp.csrfguard.Ajax=true

org.owasp.csrfguard.unprotected.Default=/appliance
org.owasp.csrfguard.unprotected.JavaScriptServlet=/appliance/JavaScriptServlet
org.owasp.csrfguard.unprotected.JavaScript=*.js
org.owasp.csrfguard.unprotected.css=*.css
org.owasp.csrfguard.unprotected.html=*.html
org.owasp.csrfguard.unprotected.png=*.png
org.owasp.csrfguard.unprotected.jpg=*.jpg
org.owasp.csrfguard.unprotected.ico=*.ico
org.owasp.csrfguard.unprotected.gif=*.gif
org.owasp.csrfguard.unprotected.Tag=/tag.jsp
org.owasp.csrfguard.unprotected.jsp=*.jsp
org.owasp.csrfguard.unprotected.Error=/appliance/error.html
org.owasp.csrfguard.unprotected.Patch=/appliance/manage.appliance.patch.details.do
org.owasp.csrfguard.unprotected.SecurityEdit=/appliance/settings.appreconfig.security.edit.do
org.owasp.csrfguard.unprotected.launchInitConfig=/appliance/launch.configure.appliance.do

org.owasp.csrfguard.action.Log=org.owasp.csrfguard.action.Log
org.owasp.csrfguard.action.Log.Message=potential cross-site request forgery (CSRF) attack thwarted (user:%user%, ip:%remote_ip%, uri:%request_uri%, error:%exception_message%)

org.owasp.csrfguard.action.Redirect=org.owasp.csrfguard.action.Redirect
org.owasp.csrfguard.action.Redirect.Page=/appliance/error.html
org.owasp.csrfguard.action.Rotate=org.owasp.csrfguard.action.Rotate

org.owasp.csrfguard.TokenName=OWASP_CSRFTOKEN

org.owasp.csrfguard.SessionKey=OWASP_CSRFTOKEN


org.owasp.csrfguard.TokenLength=32

org.owasp.csrfguard.PRNG=SHA1PRNG

Thanks,
Unmesh Desale
________________________________

Office: +91 20 40754 4823  Mobile: +91 9657725432
unmesh_desale at symantec.com
________________________________


From: Rajesh Punjabi [mailto:rajesh_punjabi at hotmail.com]
Sent: Monday, August 05, 2013 10:44 PM
To: Unmesh Desale; owasp-csrfguard at lists.owasp.org
Subject: RE: [Owasp-csrfguard] Issue with IE8

I got into the same issue and here is what I wrote earlier on a thread.

It seems when the JavaScriptServlet injects tokens to all the elements in the DOM, it also attaches the token to <script src=''> and <link href=''>.
In IE8 the browser loads all the css files and JS files twice.  This seems to screw up things.
You could try to make the INJECT_ATTRIBUTES parameter as false.

Alternatively, if you think this may break some functionality you desire then in the injectTokenAttribute() method I added the following line. (more of a hack)
if(location != null && isValidUrl(location) && !location.toLowerCase().endsWith(".css") && !location.toLowerCase().endsWith(".js") && !location.toLowerCase().endsWith("javascriptservlet")) {
    var uri = parseUri(location);
    .....................
}

So basically for js, css files we shouldn't need to attach the CSRFTOKEN attribute.

HTH

Best,
Rajesh

________________________________
From: Unmesh_Desale at symantec.com
To: owasp-csrfguard at lists.owasp.org
Date: Mon, 5 Aug 2013 05:41:03 -0700
Subject: [Owasp-csrfguard] Issue with IE8
Hi All,

I have configured OWASP CSRFGuard for my project. It is working fine when I am browsing my site using Firefox Mozilla but same site doesn’t not work when I browse it through IE 8. This module is not able to inject CSRF token for IE8.

Is this module works (supports) IE8 and higher versions? Is it cross-browser compatible?

Please suggest me some solution. I am in urgent need of help.


Thanks,
Unmesh Desale
________________________________

Office: +91 20 40754 4823  Mobile: +91 9657725432
unmesh_desale at symantec.com
________________________________



_______________________________________________ Owasp-csrfguard mailing list Owasp-csrfguard at lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-csrfguard

_______________________________________________
Owasp-csrfguard mailing list
Owasp-csrfguard at lists.owasp.org<mailto:Owasp-csrfguard at lists.owasp.org>
https://lists.owasp.org/mailman/listinfo/owasp-csrfguard

_______________________________________________
Owasp-csrfguard mailing list
Owasp-csrfguard at lists.owasp.org<mailto:Owasp-csrfguard at lists.owasp.org>
https://lists.owasp.org/mailman/listinfo/owasp-csrfguard

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-csrfguard/attachments/20130806/def5c9bd/attachment-0001.html>


More information about the Owasp-csrfguard mailing list