[Owasp-csrfguard] Issue with IE8

Arian armyofda12mnkeys at gmail.com
Tue Aug 6 16:58:58 UTC 2013


Do you get this same IE8 error when you use Developer Tools in IE9 to
simulate 8 via the Browser Mode/Document Mode dropdown?
Im only asking cause I've tested ajax requests on our site via that way for
IE8 and never had issues...

my main configuration settings are:
org.owasp.csrfguard.TokenPerPage=true
org.owasp.csrfguard.Ajax=true


Also found it more dependable to have the Owasp.CsrfGuard.js file loaded
via jquery onload (otherwise in my slow browser which is filled with 10-15
programming related tabs, the token isn't injected in time)... My updates
for that are here if anyone interested:
https://github.com/esheri3/OWASP-CSRFGuard/issues/27

-Arian



On Tue, Aug 6, 2013 at 12:16 PM, P Manchanda <manchandap at yahoo.com> wrote:

> Good to hear that people are working to fix this issue.
>
> Else I would recommend creating a stand alone test bed that reproduces the
> problem and sharing it with the community. That would help to resolve the
> problem.
>
>
>
> ___________________
> Thks & brgds
> P Manchanda
> Mobile: +91-9811210374 <http://geocities.com/manchandap/>
>
>   ------------------------------
>  *From:* Eric Sheridan <eric.sheridan at owasp.org>
> *To:* owasp-csrfguard at lists.owasp.org
> *Sent:* Tuesday, 6 August 2013, 20:10
>
> *Subject:* Re: [Owasp-csrfguard] Issue with IE8
>
> There are some folks helping to resolve this issue as we speak. I don't
> believe the code has been committed yet but the 'HijackExplorer' code in
> the JavaScript file messes things up now as IE has moved to
> XMLHTTPRequest instead of the ActiveX approach.
>
> Sincerely,
> Eric Sheridan
> (twitter) @eric_sheridan
> (blog) http://ericsheridan.blogspot.com
>
> On 8/6/13 9:19 AM, Tom Barber wrote:
> > As I mentioned before I found that csrfguard does not work correctly
> > with ie8 when it comes to ajax requests.
> > Thanks
> > Tom
> >
> > On Aug 6, 2013 9:44 AM, "Unmesh Desale" <Unmesh_Desale at symantec.com
> > <mailto:Unmesh_Desale at symantec.com>> wrote:
> >
> >    Yes it is the injection of tokens into links etc… not getting any
> >    error for ajax request. I am not able to see any CSRF token in
> IE8.____
> >
> >    __ __
> >
> >    *Thanks,____*
> >
> >    *Unmesh Desale
> >    **__________________________________**____*
> >
> >      ____
> >
> >    *Office:* +91 20 40754 4823  *Mobile: *+91 9657725432
> >    <tel:%2B91%209657725432>* _
> >    _unmesh_desale at symantec.com <mailto:unmesh_desale at symantec.com>*
> >    *__________________________________**____*
> >
> >    __ __
> >
> >    __ __
> >
> >    *From:*Tom Barber [mailto:tom.a.barber at gmail.com
> >    <mailto:tom.a.barber at gmail.com>]
> >    *Sent:* Tuesday, August 06, 2013 1:57 PM
> >    *To:* Unmesh Desale
> >    *Cc:* owasp-csrfguard at lists.owasp.org
> >    <mailto:owasp-csrfguard at lists.owasp.org>; Rajesh Punjabi
> >    *Subject:* Re: [Owasp-csrfguard] Issue with IE8____
> >
> >    __ __
> >
> >    Is it the injection of tokens into links etc or ajax requests that
> >    is failing? I found that xmlhttprequest injection doesn't work in
> >    <ie9____
> >
> >    On Aug 6, 2013 6:34 AM, "Unmesh Desale" <Unmesh_Desale at symantec.com
> >    <mailto:Unmesh_Desale at symantec.com>> wrote:____
> >
> >    Hi Rajesh,____
> >
> >      ____
> >
> >    Tried the below solution but it is still not able to inject the
> >    token. Whenever I am placing one alert message in that function then
> >    I am able to see CRSF token in resulting html (IE8).____
> >
> >      ____
> >
> >    element.setAttribute(attr, location);____
> >
> >    alert('token injected:' + value);____
> >
> >      ____
> >
> >    Below are my settings for servelet in web.xml;____
> >
> >      ____
> >
> >    _<servlet>_____
> >
> >                <servlet-name>JavaScriptServlet</servlet-name>____
> >
> >
> >
> <servlet-class>org.owasp.csrfguard.servlet.JavaScriptServlet</servlet-class>____
> >
> >                <init-_param_>____
> >
> >                      <param-name>source-file</param-name>____
> >
> >
> >    <param-value>WEB-INF/Owasp.CsrfGuard.js</param-value>____
> >
> >                </init-_param_>____
> >
> >                <init-_param_>____
> >
> >                      <param-name>inject-into-forms</param-name>____
> >
> >                      <param-value>true</param-value>____
> >
> >                </init-_param_>____
> >
> >                <init-_param_>____
> >
> >                      <param-name>inject-into-attributes</param-name>____
> >
> >                      <param-value>true</param-value>____
> >
> >                </init-_param_>____
> >
> >                <init-_param_>____
> >
> >                      <param-name>domain-strict</param-name>____
> >
> >                      <param-value>true</param-value>____
> >
> >                </init-_param_>____
> >
> >                <init-_param_>____
> >
> >                      <param-name>_referer_-pattern</param-name>____
> >
> >                      <param-value>.*_localhost_:8080.*</param-value>____
> >
> >                </init-_param_>          ____
> >
> >    _</servlet>_____
> >
> >      ____
> >
> >    Below are settings for CSRF Guard Properties:____
> >
> >      ____
> >
> >      ____
> >
> >    org.owasp.csrfguard.Logger=org.owasp.csrfguard.log.ConsoleLogger____
> >
> >      ____
> >
> >    org.owasp.csrfguard.TokenPerPage=true____
> >
> >    org.owasp.csrfguard.TokenPerPagePrecreate=false____
> >
> >      ____
> >
> >    org.owasp.csrfguard.Ajax=true____
> >
> >      ____
> >
> >    org.owasp.csrfguard.unprotected.Default=/appliance____
> >
> >
> org.owasp.csrfguard.unprotected.JavaScriptServlet=/appliance/JavaScriptServlet____
> >
> >    org.owasp.csrfguard.unprotected.JavaScript=*.js____
> >
> >    org.owasp.csrfguard.unprotected.css=*.css____
> >
> >    org.owasp.csrfguard.unprotected.html=*.html____
> >
> >    org.owasp.csrfguard.unprotected.png=*.png____
> >
> >    org.owasp.csrfguard.unprotected.jpg=*.jpg____
> >
> >    org.owasp.csrfguard.unprotected.ico=*.ico____
> >
> >    org.owasp.csrfguard.unprotected.gif=*.gif____
> >
> >    org.owasp.csrfguard.unprotected.Tag=/tag.jsp____
> >
> >    org.owasp.csrfguard.unprotected.jsp=*.jsp____
> >
> >    org.owasp.csrfguard.unprotected.Error=/appliance/error.html____
> >
> >    org.owasp.csrfguard.unprotected.Patch=/appliance/
> manage.appliance.patch.details.do
> >    <http://manage.appliance.patch.details.do>____
> >
> >    org.owasp.csrfguard.unprotected.SecurityEdit=/appliance/
> settings.appreconfig.security.edit.do
> >    <http://settings.appreconfig.security.edit.do>____
> >
> >    org.owasp.csrfguard.unprotected.launchInitConfig=/appliance/
> launch.configure.appliance.do
> >    <http://launch.configure.appliance.do>____
> >
> >      ____
> >
> >    org.owasp.csrfguard.action.Log=org.owasp.csrfguard.action.Log____
> >
> >    org.owasp.csrfguard.action.Log.Message=potential cross-site request
> >    forgery (CSRF) attack thwarted (user:%user%, ip:%remote_ip%,
> >    uri:%request_uri%, error:%exception_message%)____
> >
> >      ____
> >
> >
> org.owasp.csrfguard.action.Redirect=org.owasp.csrfguard.action.Redirect____
> >
> >    org.owasp.csrfguard.action.Redirect.Page=/appliance/error.html____
> >
> >
> org.owasp.csrfguard.action.Rotate=org.owasp.csrfguard.action.Rotate____
> >
> >      ____
> >
> >    org.owasp.csrfguard.TokenName=OWASP_CSRFTOKEN____
> >
> >      ____
> >
> >    org.owasp.csrfguard.SessionKey=OWASP_CSRFTOKEN____
> >
> >      ____
> >
> >      ____
> >
> >    org.owasp.csrfguard.TokenLength=32____
> >
> >      ____
> >
> >    org.owasp.csrfguard.PRNG=SHA1PRNG____
> >
> >      ____
> >
> >    *Thanks,*____
> >
> >    *Unmesh Desale
> >    **__________________________________*____
> >
> >      ____
> >
> >    *Office:* +91 20 40754 4823  *Mobile: *+91 9657725432
> >    <tel:%2B91%209657725432>* _
> >    _unmesh_desale at symantec.com <mailto:unmesh_desale at symantec.com>*
> >    *__________________________________*____
> >
> >      ____
> >
> >      ____
> >
> >    *From:*Rajesh Punjabi [mailto:rajesh_punjabi at hotmail.com
> >    <mailto:rajesh_punjabi at hotmail.com>]
> >    *Sent:* Monday, August 05, 2013 10:44 PM
> >    *To:* Unmesh Desale; owasp-csrfguard at lists.owasp.org
> >    <mailto:owasp-csrfguard at lists.owasp.org>
> >    *Subject:* RE: [Owasp-csrfguard] Issue with IE8____
> >
> >      ____
> >
> >    I got into the same issue and here is what I wrote earlier on a
> >    thread.____
> >
> >      ____
> >
> >    It seems when the JavaScriptServlet injects tokens to all the
> >    elements in the DOM, it also attaches the token to <script src=''>
> >    and <link href=''>.____
> >
> >    In IE8 the browser loads all the css files and JS files twice.  This
> >    seems to screw up things.____
> >
> >    You could try to make the INJECT_ATTRIBUTES parameter as false.____
> >
> >      ____
> >
> >    Alternatively, if you think this may break some functionality you
> >    desire then in the injectTokenAttribute() method I added the
> >    following line. (more of a hack)____
> >
> >    if(location != null && isValidUrl(location) &&
> >    !location.toLowerCase().endsWith(".css") &&
> >    !location.toLowerCase().endsWith(".js") &&
> >    !location.toLowerCase().endsWith("javascriptservlet")) {____
> >
> >        var uri = parseUri(location);____
> >
> >        .....................____
> >
> >    }____
> >
> >      ____
> >
> >    So basically for js, css files we shouldn't need to attach the
> >    CSRFTOKEN attribute.____
> >
> >      ____
> >
> >    HTH____
> >
> >      ____
> >
> >    Best,
> >    Rajesh____
> >
> >      ____
> >
> >
> ------------------------------------------------------------------------
> >
> >    From: Unmesh_Desale at symantec.com <mailto:Unmesh_Desale at symantec.com>
> >    To: owasp-csrfguard at lists.owasp.org
> >    <mailto:owasp-csrfguard at lists.owasp.org>
> >    Date: Mon, 5 Aug 2013 05:41:03 -0700
> >    Subject: [Owasp-csrfguard] Issue with IE8____
> >
> >    Hi All,____
> >
> >      ____
> >
> >    I have configured OWASP CSRFGuard for my project. It is working fine
> >    when I am browsing my site using Firefox Mozilla but same site
> >    doesn’t not work when I browse it through IE 8. This module is not
> >    able to inject CSRF token for IE8.____
> >
> >      ____
> >
> >    Is this module works (supports) IE8 and higher versions? Is it
> >    cross-browser compatible?____
> >
> >      ____
> >
> >    Please suggest me some solution. I am in urgent need of help.____
> >
> >      ____
> >
> >      ____
> >
> >    *Thanks,*____
> >
> >    *Unmesh Desale
> >    **__________________________________*____
> >
> >      ____
> >
> >    *Office:* +91 20 40754 4823  *Mobile: *+91 9657725432
> >    <tel:%2B91%209657725432>* _
> >    _unmesh_desale at symantec.com <mailto:unmesh_desale at symantec.com>*
> >    *__________________________________*____
> >
> >      ____
> >
> >      ____
> >
> >
> >    _______________________________________________ Owasp-csrfguard
> >    mailing list Owasp-csrfguard at lists.owasp.org
> >    <mailto:Owasp-csrfguard at lists.owasp.org>
> >    https://lists.owasp.org/mailman/listinfo/owasp-csrfguard____
> >
> >
> >    _______________________________________________
> >    Owasp-csrfguard mailing list
> >    Owasp-csrfguard at lists.owasp.org <mailto:
> Owasp-csrfguard at lists.owasp.org>
> >    https://lists.owasp.org/mailman/listinfo/owasp-csrfguard____
> >
> >
> >
> > _______________________________________________
> > Owasp-csrfguard mailing list
> > Owasp-csrfguard at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-csrfguard
> >
> _______________________________________________
> Owasp-csrfguard mailing list
> Owasp-csrfguard at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-csrfguard
>
>
> _______________________________________________
> Owasp-csrfguard mailing list
> Owasp-csrfguard at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-csrfguard
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-csrfguard/attachments/20130806/ad4435fb/attachment-0001.html>


More information about the Owasp-csrfguard mailing list