[Owasp-csrfguard] Issue with IE8

Tom Barber tom.a.barber at gmail.com
Tue Aug 6 13:19:17 UTC 2013


As I mentioned before I found that csrfguard does not work correctly with
ie8 when it comes to ajax requests.
Thanks
Tom
On Aug 6, 2013 9:44 AM, "Unmesh Desale" <Unmesh_Desale at symantec.com> wrote:

> Yes it is the injection of tokens into links etc… not getting any error
> for ajax request. I am not able to see any CSRF token in IE8.****
>
> ** **
>
> *Thanks,*
>
> *Unmesh Desale
> **________________________________***
>
>  ****
>
> *Office:* +91 20 40754 4823  *Mobile: *+91 9657725432*
> unmesh_desale at symantec.com*
> *________________________________***
>
> ** **
>
> ** **
>
> *From:* Tom Barber [mailto:tom.a.barber at gmail.com]
> *Sent:* Tuesday, August 06, 2013 1:57 PM
> *To:* Unmesh Desale
> *Cc:* owasp-csrfguard at lists.owasp.org; Rajesh Punjabi
> *Subject:* Re: [Owasp-csrfguard] Issue with IE8****
>
> ** **
>
> Is it the injection of tokens into links etc or ajax requests that is
> failing? I found that xmlhttprequest injection doesn't work in <ie9****
>
> On Aug 6, 2013 6:34 AM, "Unmesh Desale" <Unmesh_Desale at symantec.com>
> wrote:****
>
> Hi Rajesh,****
>
>  ****
>
> Tried the below solution but it is still not able to inject the token.
> Whenever I am placing one alert message in that function then I am able to
> see CRSF token in resulting html (IE8).****
>
>  ****
>
> element.setAttribute(attr, location);****
>
> alert('token injected:' + value);****
>
>  ****
>
> Below are my settings for servelet in web.xml;****
>
>  ****
>
> *<servlet>*****
>
>             <servlet-name>JavaScriptServlet</servlet-name>****
>
>
> <servlet-class>org.owasp.csrfguard.servlet.JavaScriptServlet</servlet-class>
> ****
>
>             <init-*param*>****
>
>                   <param-name>source-file</param-name>****
>
>                   <param-value>WEB-INF/Owasp.CsrfGuard.js</param-value>***
> *
>
>             </init-*param*>****
>
>             <init-*param*>****
>
>                   <param-name>inject-into-forms</param-name>****
>
>                   <param-value>true</param-value>****
>
>             </init-*param*>****
>
>             <init-*param*>****
>
>                   <param-name>inject-into-attributes</param-name>****
>
>                   <param-value>true</param-value>****
>
>             </init-*param*>****
>
>             <init-*param*>****
>
>                   <param-name>domain-strict</param-name>****
>
>                   <param-value>true</param-value>****
>
>             </init-*param*>****
>
>             <init-*param*>****
>
>                   <param-name>*referer*-pattern</param-name>****
>
>                   <param-value>.**localhost*:8080.*</param-value>****
>
>             </init-*param*>           ****
>
> *</servlet>*****
>
>  ****
>
> Below are settings for CSRF Guard Properties:****
>
>  ****
>
>  ****
>
> org.owasp.csrfguard.Logger=org.owasp.csrfguard.log.ConsoleLogger****
>
>  ****
>
> org.owasp.csrfguard.TokenPerPage=true****
>
> org.owasp.csrfguard.TokenPerPagePrecreate=false****
>
>  ****
>
> org.owasp.csrfguard.Ajax=true****
>
>  ****
>
> org.owasp.csrfguard.unprotected.Default=/appliance****
>
>
> org.owasp.csrfguard.unprotected.JavaScriptServlet=/appliance/JavaScriptServlet
> ****
>
> org.owasp.csrfguard.unprotected.JavaScript=*.js****
>
> org.owasp.csrfguard.unprotected.css=*.css****
>
> org.owasp.csrfguard.unprotected.html=*.html****
>
> org.owasp.csrfguard.unprotected.png=*.png****
>
> org.owasp.csrfguard.unprotected.jpg=*.jpg****
>
> org.owasp.csrfguard.unprotected.ico=*.ico****
>
> org.owasp.csrfguard.unprotected.gif=*.gif****
>
> org.owasp.csrfguard.unprotected.Tag=/tag.jsp****
>
> org.owasp.csrfguard.unprotected.jsp=*.jsp****
>
> org.owasp.csrfguard.unprotected.Error=/appliance/error.html****
>
> org.owasp.csrfguard.unprotected.Patch=/appliance/
> manage.appliance.patch.details.do****
>
> org.owasp.csrfguard.unprotected.SecurityEdit=/appliance/
> settings.appreconfig.security.edit.do****
>
> org.owasp.csrfguard.unprotected.launchInitConfig=/appliance/
> launch.configure.appliance.do****
>
>  ****
>
> org.owasp.csrfguard.action.Log=org.owasp.csrfguard.action.Log****
>
> org.owasp.csrfguard.action.Log.Message=potential cross-site request
> forgery (CSRF) attack thwarted (user:%user%, ip:%remote_ip%,
> uri:%request_uri%, error:%exception_message%)****
>
>  ****
>
> org.owasp.csrfguard.action.Redirect=org.owasp.csrfguard.action.Redirect***
> *
>
> org.owasp.csrfguard.action.Redirect.Page=/appliance/error.html****
>
> org.owasp.csrfguard.action.Rotate=org.owasp.csrfguard.action.Rotate****
>
>  ****
>
> org.owasp.csrfguard.TokenName=OWASP_CSRFTOKEN****
>
>  ****
>
> org.owasp.csrfguard.SessionKey=OWASP_CSRFTOKEN****
>
>  ****
>
>  ****
>
> org.owasp.csrfguard.TokenLength=32****
>
>  ****
>
> org.owasp.csrfguard.PRNG=SHA1PRNG****
>
>  ****
>
> *Thanks,*****
>
> *Unmesh Desale
> **________________________________*****
>
>  ****
>
> *Office:* +91 20 40754 4823  *Mobile: *+91 9657725432*
> unmesh_desale at symantec.com*
> *________________________________*****
>
>  ****
>
>  ****
>
> *From:* Rajesh Punjabi [mailto:rajesh_punjabi at hotmail.com]
> *Sent:* Monday, August 05, 2013 10:44 PM
> *To:* Unmesh Desale; owasp-csrfguard at lists.owasp.org
> *Subject:* RE: [Owasp-csrfguard] Issue with IE8****
>
>  ****
>
> I got into the same issue and here is what I wrote earlier on a thread.***
> *
>
>  ****
>
> It seems when the JavaScriptServlet injects tokens to all the elements in
> the DOM, it also attaches the token to <script src=''> and <link href=''>.
> ****
>
> In IE8 the browser loads all the css files and JS files twice.  This seems
> to screw up things.****
>
> You could try to make the INJECT_ATTRIBUTES parameter as false.****
>
>  ****
>
> Alternatively, if you think this may break some functionality you desire
> then in the injectTokenAttribute() method I added the following line. (more
> of a hack)****
>
> if(location != null && isValidUrl(location) &&
> !location.toLowerCase().endsWith(".css") &&
> !location.toLowerCase().endsWith(".js") &&
> !location.toLowerCase().endsWith("javascriptservlet")) {****
>
>     var uri = parseUri(location);****
>
>     .....................****
>
> }****
>
>  ****
>
> So basically for js, css files we shouldn't need to attach the CSRFTOKEN
> attribute.****
>
>  ****
>
> HTH****
>
>  ****
>
> Best,
> Rajesh****
>
>  ****
> ------------------------------
>
> From: Unmesh_Desale at symantec.com
> To: owasp-csrfguard at lists.owasp.org
> Date: Mon, 5 Aug 2013 05:41:03 -0700
> Subject: [Owasp-csrfguard] Issue with IE8****
>
> Hi All,****
>
>  ****
>
> I have configured OWASP CSRFGuard for my project. It is working fine when
> I am browsing my site using Firefox Mozilla but same site doesn’t not work
> when I browse it through IE 8. This module is not able to inject CSRF token
> for IE8.****
>
>  ****
>
> Is this module works (supports) IE8 and higher versions? Is it
> cross-browser compatible?****
>
>  ****
>
> Please suggest me some solution. I am in urgent need of help.****
>
>  ****
>
>  ****
>
> *Thanks,*****
>
> *Unmesh Desale
> **________________________________*****
>
>  ****
>
> *Office:* +91 20 40754 4823  *Mobile: *+91 9657725432*
> unmesh_desale at symantec.com*
> *________________________________*****
>
>  ****
>
>  ****
>
>
> _______________________________________________ Owasp-csrfguard mailing
> list Owasp-csrfguard at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-csrfguard****
>
>
> _______________________________________________
> Owasp-csrfguard mailing list
> Owasp-csrfguard at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-csrfguard****
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-csrfguard/attachments/20130806/74e52c0f/attachment-0001.html>


More information about the Owasp-csrfguard mailing list