[Owasp-csrfguard] Issue with IE8
Arian
armyofda12mnkeys at gmail.com
Tue Aug 6 16:58:58 UTC 2013
Do you get this same IE8 error when you use Developer Tools in IE9 to
simulate 8 via the Browser Mode/Document Mode dropdown?
Im only asking cause I've tested ajax requests on our site via that way for
IE8 and never had issues...
my main configuration settings are:
org.owasp.csrfguard.TokenPerPage=true
org.owasp.csrfguard.Ajax=true
Also found it more dependable to have the Owasp.CsrfGuard.js file loaded
via jquery onload (otherwise in my slow browser which is filled with 10-15
programming related tabs, the token isn't injected in time)... My updates
for that are here if anyone interested:
https://github.com/esheri3/OWASP-CSRFGuard/issues/27
-Arian
On Tue, Aug 6, 2013 at 12:16 PM, P Manchanda <manchandap at yahoo.com> wrote:
> Good to hear that people are working to fix this issue.
>
> Else I would recommend creating a stand alone test bed that reproduces the
> problem and sharing it with the community. That would help to resolve the
> problem.
>
>
>
> ___________________
> Thks & brgds
> P Manchanda
> Mobile: +91-9811210374 <http://geocities.com/manchandap/>
>
> ------------------------------
> *From:* Eric Sheridan <eric.sheridan at owasp.org>
> *To:* owasp-csrfguard at lists.owasp.org
> *Sent:* Tuesday, 6 August 2013, 20:10
>
> *Subject:* Re: [Owasp-csrfguard] Issue with IE8
>
> There are some folks helping to resolve this issue as we speak. I don't
> believe the code has been committed yet but the 'HijackExplorer' code in
> the JavaScript file messes things up now as IE has moved to
> XMLHTTPRequest instead of the ActiveX approach.
>
> Sincerely,
> Eric Sheridan
> (twitter) @eric_sheridan
> (blog) http://ericsheridan.blogspot.com
>
> On 8/6/13 9:19 AM, Tom Barber wrote:
> > As I mentioned before I found that csrfguard does not work correctly
> > with ie8 when it comes to ajax requests.
> > Thanks
> > Tom
> >
> > On Aug 6, 2013 9:44 AM, "Unmesh Desale" <Unmesh_Desale at symantec.com
> > <mailto:Unmesh_Desale at symantec.com>> wrote:
> >
> > Yes it is the injection of tokens into links etc… not getting any
> > error for ajax request. I am not able to see any CSRF token in
> IE8.____
> >
> > __ __
> >
> > *Thanks,____*
> >
> > *Unmesh Desale
> > **__________________________________**____*
> >
> > ____
> >
> > *Office:* +91 20 40754 4823 *Mobile: *+91 9657725432
> > <tel:%2B91%209657725432>* _
> > _unmesh_desale at symantec.com <mailto:unmesh_desale at symantec.com>*
> > *__________________________________**____*
> >
> > __ __
> >
> > __ __
> >
> > *From:*Tom Barber [mailto:tom.a.barber at gmail.com
> > <mailto:tom.a.barber at gmail.com>]
> > *Sent:* Tuesday, August 06, 2013 1:57 PM
> > *To:* Unmesh Desale
> > *Cc:* owasp-csrfguard at lists.owasp.org
> > <mailto:owasp-csrfguard at lists.owasp.org>; Rajesh Punjabi
> > *Subject:* Re: [Owasp-csrfguard] Issue with IE8____
> >
> > __ __
> >
> > Is it the injection of tokens into links etc or ajax requests that
> > is failing? I found that xmlhttprequest injection doesn't work in
> > <ie9____
> >
> > On Aug 6, 2013 6:34 AM, "Unmesh Desale" <Unmesh_Desale at symantec.com
> > <mailto:Unmesh_Desale at symantec.com>> wrote:____
> >
> > Hi Rajesh,____
> >
> > ____
> >
> > Tried the below solution but it is still not able to inject the
> > token. Whenever I am placing one alert message in that function then
> > I am able to see CRSF token in resulting html (IE8).____
> >
> > ____
> >
> > element.setAttribute(attr, location);____
> >
> > alert('token injected:' + value);____
> >
> > ____
> >
> > Below are my settings for servelet in web.xml;____
> >
> > ____
> >
> > _<servlet>_____
> >
> > <servlet-name>JavaScriptServlet</servlet-name>____
> >
> >
> >
> <servlet-class>org.owasp.csrfguard.servlet.JavaScriptServlet</servlet-class>____
> >
> > <init-_param_>____
> >
> > <param-name>source-file</param-name>____
> >
> >
> > <param-value>WEB-INF/Owasp.CsrfGuard.js</param-value>____
> >
> > </init-_param_>____
> >
> > <init-_param_>____
> >
> > <param-name>inject-into-forms</param-name>____
> >
> > <param-value>true</param-value>____
> >
> > </init-_param_>____
> >
> > <init-_param_>____
> >
> > <param-name>inject-into-attributes</param-name>____
> >
> > <param-value>true</param-value>____
> >
> > </init-_param_>____
> >
> > <init-_param_>____
> >
> > <param-name>domain-strict</param-name>____
> >
> > <param-value>true</param-value>____
> >
> > </init-_param_>____
> >
> > <init-_param_>____
> >
> > <param-name>_referer_-pattern</param-name>____
> >
> > <param-value>.*_localhost_:8080.*</param-value>____
> >
> > </init-_param_> ____
> >
> > _</servlet>_____
> >
> > ____
> >
> > Below are settings for CSRF Guard Properties:____
> >
> > ____
> >
> > ____
> >
> > org.owasp.csrfguard.Logger=org.owasp.csrfguard.log.ConsoleLogger____
> >
> > ____
> >
> > org.owasp.csrfguard.TokenPerPage=true____
> >
> > org.owasp.csrfguard.TokenPerPagePrecreate=false____
> >
> > ____
> >
> > org.owasp.csrfguard.Ajax=true____
> >
> > ____
> >
> > org.owasp.csrfguard.unprotected.Default=/appliance____
> >
> >
> org.owasp.csrfguard.unprotected.JavaScriptServlet=/appliance/JavaScriptServlet____
> >
> > org.owasp.csrfguard.unprotected.JavaScript=*.js____
> >
> > org.owasp.csrfguard.unprotected.css=*.css____
> >
> > org.owasp.csrfguard.unprotected.html=*.html____
> >
> > org.owasp.csrfguard.unprotected.png=*.png____
> >
> > org.owasp.csrfguard.unprotected.jpg=*.jpg____
> >
> > org.owasp.csrfguard.unprotected.ico=*.ico____
> >
> > org.owasp.csrfguard.unprotected.gif=*.gif____
> >
> > org.owasp.csrfguard.unprotected.Tag=/tag.jsp____
> >
> > org.owasp.csrfguard.unprotected.jsp=*.jsp____
> >
> > org.owasp.csrfguard.unprotected.Error=/appliance/error.html____
> >
> > org.owasp.csrfguard.unprotected.Patch=/appliance/
> manage.appliance.patch.details.do
> > <http://manage.appliance.patch.details.do>____
> >
> > org.owasp.csrfguard.unprotected.SecurityEdit=/appliance/
> settings.appreconfig.security.edit.do
> > <http://settings.appreconfig.security.edit.do>____
> >
> > org.owasp.csrfguard.unprotected.launchInitConfig=/appliance/
> launch.configure.appliance.do
> > <http://launch.configure.appliance.do>____
> >
> > ____
> >
> > org.owasp.csrfguard.action.Log=org.owasp.csrfguard.action.Log____
> >
> > org.owasp.csrfguard.action.Log.Message=potential cross-site request
> > forgery (CSRF) attack thwarted (user:%user%, ip:%remote_ip%,
> > uri:%request_uri%, error:%exception_message%)____
> >
> > ____
> >
> >
> org.owasp.csrfguard.action.Redirect=org.owasp.csrfguard.action.Redirect____
> >
> > org.owasp.csrfguard.action.Redirect.Page=/appliance/error.html____
> >
> >
> org.owasp.csrfguard.action.Rotate=org.owasp.csrfguard.action.Rotate____
> >
> > ____
> >
> > org.owasp.csrfguard.TokenName=OWASP_CSRFTOKEN____
> >
> > ____
> >
> > org.owasp.csrfguard.SessionKey=OWASP_CSRFTOKEN____
> >
> > ____
> >
> > ____
> >
> > org.owasp.csrfguard.TokenLength=32____
> >
> > ____
> >
> > org.owasp.csrfguard.PRNG=SHA1PRNG____
> >
> > ____
> >
> > *Thanks,*____
> >
> > *Unmesh Desale
> > **__________________________________*____
> >
> > ____
> >
> > *Office:* +91 20 40754 4823 *Mobile: *+91 9657725432
> > <tel:%2B91%209657725432>* _
> > _unmesh_desale at symantec.com <mailto:unmesh_desale at symantec.com>*
> > *__________________________________*____
> >
> > ____
> >
> > ____
> >
> > *From:*Rajesh Punjabi [mailto:rajesh_punjabi at hotmail.com
> > <mailto:rajesh_punjabi at hotmail.com>]
> > *Sent:* Monday, August 05, 2013 10:44 PM
> > *To:* Unmesh Desale; owasp-csrfguard at lists.owasp.org
> > <mailto:owasp-csrfguard at lists.owasp.org>
> > *Subject:* RE: [Owasp-csrfguard] Issue with IE8____
> >
> > ____
> >
> > I got into the same issue and here is what I wrote earlier on a
> > thread.____
> >
> > ____
> >
> > It seems when the JavaScriptServlet injects tokens to all the
> > elements in the DOM, it also attaches the token to <script src=''>
> > and <link href=''>.____
> >
> > In IE8 the browser loads all the css files and JS files twice. This
> > seems to screw up things.____
> >
> > You could try to make the INJECT_ATTRIBUTES parameter as false.____
> >
> > ____
> >
> > Alternatively, if you think this may break some functionality you
> > desire then in the injectTokenAttribute() method I added the
> > following line. (more of a hack)____
> >
> > if(location != null && isValidUrl(location) &&
> > !location.toLowerCase().endsWith(".css") &&
> > !location.toLowerCase().endsWith(".js") &&
> > !location.toLowerCase().endsWith("javascriptservlet")) {____
> >
> > var uri = parseUri(location);____
> >
> > .....................____
> >
> > }____
> >
> > ____
> >
> > So basically for js, css files we shouldn't need to attach the
> > CSRFTOKEN attribute.____
> >
> > ____
> >
> > HTH____
> >
> > ____
> >
> > Best,
> > Rajesh____
> >
> > ____
> >
> >
> ------------------------------------------------------------------------
> >
> > From: Unmesh_Desale at symantec.com <mailto:Unmesh_Desale at symantec.com>
> > To: owasp-csrfguard at lists.owasp.org
> > <mailto:owasp-csrfguard at lists.owasp.org>
> > Date: Mon, 5 Aug 2013 05:41:03 -0700
> > Subject: [Owasp-csrfguard] Issue with IE8____
> >
> > Hi All,____
> >
> > ____
> >
> > I have configured OWASP CSRFGuard for my project. It is working fine
> > when I am browsing my site using Firefox Mozilla but same site
> > doesn’t not work when I browse it through IE 8. This module is not
> > able to inject CSRF token for IE8.____
> >
> > ____
> >
> > Is this module works (supports) IE8 and higher versions? Is it
> > cross-browser compatible?____
> >
> > ____
> >
> > Please suggest me some solution. I am in urgent need of help.____
> >
> > ____
> >
> > ____
> >
> > *Thanks,*____
> >
> > *Unmesh Desale
> > **__________________________________*____
> >
> > ____
> >
> > *Office:* +91 20 40754 4823 *Mobile: *+91 9657725432
> > <tel:%2B91%209657725432>* _
> > _unmesh_desale at symantec.com <mailto:unmesh_desale at symantec.com>*
> > *__________________________________*____
> >
> > ____
> >
> > ____
> >
> >
> > _______________________________________________ Owasp-csrfguard
> > mailing list Owasp-csrfguard at lists.owasp.org
> > <mailto:Owasp-csrfguard at lists.owasp.org>
> > https://lists.owasp.org/mailman/listinfo/owasp-csrfguard____
> >
> >
> > _______________________________________________
> > Owasp-csrfguard mailing list
> > Owasp-csrfguard at lists.owasp.org <mailto:
> Owasp-csrfguard at lists.owasp.org>
> > https://lists.owasp.org/mailman/listinfo/owasp-csrfguard____
> >
> >
> >
> > _______________________________________________
> > Owasp-csrfguard mailing list
> > Owasp-csrfguard at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-csrfguard
> >
> _______________________________________________
> Owasp-csrfguard mailing list
> Owasp-csrfguard at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-csrfguard
>
>
> _______________________________________________
> Owasp-csrfguard mailing list
> Owasp-csrfguard at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-csrfguard
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-csrfguard/attachments/20130806/ad4435fb/attachment-0001.html>
More information about the Owasp-csrfguard
mailing list