[Owasp-csrfguard] Issue with IE8

Eric Sheridan eric.sheridan at owasp.org
Tue Aug 6 14:40:02 UTC 2013


There are some folks helping to resolve this issue as we speak. I don't
believe the code has been committed yet but the 'HijackExplorer' code in
the JavaScript file messes things up now as IE has moved to
XMLHTTPRequest instead of the ActiveX approach.

Sincerely,
Eric Sheridan
(twitter) @eric_sheridan
(blog) http://ericsheridan.blogspot.com

On 8/6/13 9:19 AM, Tom Barber wrote:
> As I mentioned before I found that csrfguard does not work correctly
> with ie8 when it comes to ajax requests. 
> Thanks
> Tom
> 
> On Aug 6, 2013 9:44 AM, "Unmesh Desale" <Unmesh_Desale at symantec.com
> <mailto:Unmesh_Desale at symantec.com>> wrote:
> 
>     Yes it is the injection of tokens into links etc… not getting any
>     error for ajax request. I am not able to see any CSRF token in IE8.____
> 
>     __ __
> 
>     *Thanks,____*
> 
>     *Unmesh Desale
>     **__________________________________**____*
> 
>      ____
> 
>     *Office:* +91 20 40754 4823  *Mobile: *+91 9657725432
>     <tel:%2B91%209657725432>* _
>     _unmesh_desale at symantec.com <mailto:unmesh_desale at symantec.com>*
>     *__________________________________**____*
> 
>     __ __
> 
>     __ __
> 
>     *From:*Tom Barber [mailto:tom.a.barber at gmail.com
>     <mailto:tom.a.barber at gmail.com>]
>     *Sent:* Tuesday, August 06, 2013 1:57 PM
>     *To:* Unmesh Desale
>     *Cc:* owasp-csrfguard at lists.owasp.org
>     <mailto:owasp-csrfguard at lists.owasp.org>; Rajesh Punjabi
>     *Subject:* Re: [Owasp-csrfguard] Issue with IE8____
> 
>     __ __
> 
>     Is it the injection of tokens into links etc or ajax requests that
>     is failing? I found that xmlhttprequest injection doesn't work in
>     <ie9____
> 
>     On Aug 6, 2013 6:34 AM, "Unmesh Desale" <Unmesh_Desale at symantec.com
>     <mailto:Unmesh_Desale at symantec.com>> wrote:____
> 
>     Hi Rajesh,____
> 
>      ____
> 
>     Tried the below solution but it is still not able to inject the
>     token. Whenever I am placing one alert message in that function then
>     I am able to see CRSF token in resulting html (IE8).____
> 
>      ____
> 
>     element.setAttribute(attr, location);____
> 
>     alert('token injected:' + value);____
> 
>      ____
> 
>     Below are my settings for servelet in web.xml;____
> 
>      ____
> 
>     _<servlet>_____
> 
>                 <servlet-name>JavaScriptServlet</servlet-name>____
> 
>                
>     <servlet-class>org.owasp.csrfguard.servlet.JavaScriptServlet</servlet-class>____
> 
>                 <init-_param_>____
> 
>                       <param-name>source-file</param-name>____
> 
>                      
>     <param-value>WEB-INF/Owasp.CsrfGuard.js</param-value>____
> 
>                 </init-_param_>____
> 
>                 <init-_param_>____
> 
>                       <param-name>inject-into-forms</param-name>____
> 
>                       <param-value>true</param-value>____
> 
>                 </init-_param_>____
> 
>                 <init-_param_>____
> 
>                       <param-name>inject-into-attributes</param-name>____
> 
>                       <param-value>true</param-value>____
> 
>                 </init-_param_>____
> 
>                 <init-_param_>____
> 
>                       <param-name>domain-strict</param-name>____
> 
>                       <param-value>true</param-value>____
> 
>                 </init-_param_>____
> 
>                 <init-_param_>____
> 
>                       <param-name>_referer_-pattern</param-name>____
> 
>                       <param-value>.*_localhost_:8080.*</param-value>____
> 
>                 </init-_param_>           ____
> 
>     _</servlet>_____
> 
>      ____
> 
>     Below are settings for CSRF Guard Properties:____
> 
>      ____
> 
>      ____
> 
>     org.owasp.csrfguard.Logger=org.owasp.csrfguard.log.ConsoleLogger____
> 
>      ____
> 
>     org.owasp.csrfguard.TokenPerPage=true____
> 
>     org.owasp.csrfguard.TokenPerPagePrecreate=false____
> 
>      ____
> 
>     org.owasp.csrfguard.Ajax=true____
> 
>      ____
> 
>     org.owasp.csrfguard.unprotected.Default=/appliance____
> 
>     org.owasp.csrfguard.unprotected.JavaScriptServlet=/appliance/JavaScriptServlet____
> 
>     org.owasp.csrfguard.unprotected.JavaScript=*.js____
> 
>     org.owasp.csrfguard.unprotected.css=*.css____
> 
>     org.owasp.csrfguard.unprotected.html=*.html____
> 
>     org.owasp.csrfguard.unprotected.png=*.png____
> 
>     org.owasp.csrfguard.unprotected.jpg=*.jpg____
> 
>     org.owasp.csrfguard.unprotected.ico=*.ico____
> 
>     org.owasp.csrfguard.unprotected.gif=*.gif____
> 
>     org.owasp.csrfguard.unprotected.Tag=/tag.jsp____
> 
>     org.owasp.csrfguard.unprotected.jsp=*.jsp____
> 
>     org.owasp.csrfguard.unprotected.Error=/appliance/error.html____
> 
>     org.owasp.csrfguard.unprotected.Patch=/appliance/manage.appliance.patch.details.do
>     <http://manage.appliance.patch.details.do>____
> 
>     org.owasp.csrfguard.unprotected.SecurityEdit=/appliance/settings.appreconfig.security.edit.do
>     <http://settings.appreconfig.security.edit.do>____
> 
>     org.owasp.csrfguard.unprotected.launchInitConfig=/appliance/launch.configure.appliance.do
>     <http://launch.configure.appliance.do>____
> 
>      ____
> 
>     org.owasp.csrfguard.action.Log=org.owasp.csrfguard.action.Log____
> 
>     org.owasp.csrfguard.action.Log.Message=potential cross-site request
>     forgery (CSRF) attack thwarted (user:%user%, ip:%remote_ip%,
>     uri:%request_uri%, error:%exception_message%)____
> 
>      ____
> 
>     org.owasp.csrfguard.action.Redirect=org.owasp.csrfguard.action.Redirect____
> 
>     org.owasp.csrfguard.action.Redirect.Page=/appliance/error.html____
> 
>     org.owasp.csrfguard.action.Rotate=org.owasp.csrfguard.action.Rotate____
> 
>      ____
> 
>     org.owasp.csrfguard.TokenName=OWASP_CSRFTOKEN____
> 
>      ____
> 
>     org.owasp.csrfguard.SessionKey=OWASP_CSRFTOKEN____
> 
>      ____
> 
>      ____
> 
>     org.owasp.csrfguard.TokenLength=32____
> 
>      ____
> 
>     org.owasp.csrfguard.PRNG=SHA1PRNG____
> 
>      ____
> 
>     *Thanks,*____
> 
>     *Unmesh Desale
>     **__________________________________*____
> 
>      ____
> 
>     *Office:* +91 20 40754 4823  *Mobile: *+91 9657725432
>     <tel:%2B91%209657725432>* _
>     _unmesh_desale at symantec.com <mailto:unmesh_desale at symantec.com>*
>     *__________________________________*____
> 
>      ____
> 
>      ____
> 
>     *From:*Rajesh Punjabi [mailto:rajesh_punjabi at hotmail.com
>     <mailto:rajesh_punjabi at hotmail.com>]
>     *Sent:* Monday, August 05, 2013 10:44 PM
>     *To:* Unmesh Desale; owasp-csrfguard at lists.owasp.org
>     <mailto:owasp-csrfguard at lists.owasp.org>
>     *Subject:* RE: [Owasp-csrfguard] Issue with IE8____
> 
>      ____
> 
>     I got into the same issue and here is what I wrote earlier on a
>     thread.____
> 
>      ____
> 
>     It seems when the JavaScriptServlet injects tokens to all the
>     elements in the DOM, it also attaches the token to <script src=''>
>     and <link href=''>.____
> 
>     In IE8 the browser loads all the css files and JS files twice.  This
>     seems to screw up things.____
> 
>     You could try to make the INJECT_ATTRIBUTES parameter as false.____
> 
>      ____
> 
>     Alternatively, if you think this may break some functionality you
>     desire then in the injectTokenAttribute() method I added the
>     following line. (more of a hack)____
> 
>     if(location != null && isValidUrl(location) &&
>     !location.toLowerCase().endsWith(".css") &&
>     !location.toLowerCase().endsWith(".js") &&
>     !location.toLowerCase().endsWith("javascriptservlet")) {____
> 
>         var uri = parseUri(location);____
> 
>         .....................____
> 
>     }____
> 
>      ____
> 
>     So basically for js, css files we shouldn't need to attach the
>     CSRFTOKEN attribute.____
> 
>      ____
> 
>     HTH____
> 
>      ____
> 
>     Best,
>     Rajesh____
> 
>      ____
> 
>     ------------------------------------------------------------------------
> 
>     From: Unmesh_Desale at symantec.com <mailto:Unmesh_Desale at symantec.com>
>     To: owasp-csrfguard at lists.owasp.org
>     <mailto:owasp-csrfguard at lists.owasp.org>
>     Date: Mon, 5 Aug 2013 05:41:03 -0700
>     Subject: [Owasp-csrfguard] Issue with IE8____
> 
>     Hi All,____
> 
>      ____
> 
>     I have configured OWASP CSRFGuard for my project. It is working fine
>     when I am browsing my site using Firefox Mozilla but same site
>     doesn’t not work when I browse it through IE 8. This module is not
>     able to inject CSRF token for IE8.____
> 
>      ____
> 
>     Is this module works (supports) IE8 and higher versions? Is it
>     cross-browser compatible?____
> 
>      ____
> 
>     Please suggest me some solution. I am in urgent need of help.____
> 
>      ____
> 
>      ____
> 
>     *Thanks,*____
> 
>     *Unmesh Desale
>     **__________________________________*____
> 
>      ____
> 
>     *Office:* +91 20 40754 4823  *Mobile: *+91 9657725432
>     <tel:%2B91%209657725432>* _
>     _unmesh_desale at symantec.com <mailto:unmesh_desale at symantec.com>*
>     *__________________________________*____
> 
>      ____
> 
>      ____
> 
> 
>     _______________________________________________ Owasp-csrfguard
>     mailing list Owasp-csrfguard at lists.owasp.org
>     <mailto:Owasp-csrfguard at lists.owasp.org>
>     https://lists.owasp.org/mailman/listinfo/owasp-csrfguard____
> 
> 
>     _______________________________________________
>     Owasp-csrfguard mailing list
>     Owasp-csrfguard at lists.owasp.org <mailto:Owasp-csrfguard at lists.owasp.org>
>     https://lists.owasp.org/mailman/listinfo/owasp-csrfguard____
> 
> 
> 
> _______________________________________________
> Owasp-csrfguard mailing list
> Owasp-csrfguard at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-csrfguard
> 


More information about the Owasp-csrfguard mailing list