[Owasp-csrfguard] Issue with IE8

Rajesh Punjabi rajesh_punjabi at hotmail.com
Tue Aug 6 18:08:48 UTC 2013


Unmesh,Try with the attached js file.Thanks,Rajesh

Date: Tue, 6 Aug 2013 12:58:58 -0400
From: armyofda12mnkeys at gmail.com
To: owasp-csrfguard at lists.owasp.org
Subject: Re: [Owasp-csrfguard] Issue with IE8

Do you get this same IE8 error when you use Developer Tools in IE9 to simulate 8 via the Browser Mode/Document Mode dropdown?Im only asking cause I've tested ajax requests on our site via that way for IE8 and never had issues...

my main configuration settings are:org.owasp.csrfguard.TokenPerPage=trueorg.owasp.csrfguard.Ajax=true

Also found it more dependable to have the Owasp.CsrfGuard.js file loaded via jquery onload (otherwise in my slow browser which is filled with 10-15 programming related tabs, the token isn't injected in time)... My updates for that are here if anyone interested:
https://github.com/esheri3/OWASP-CSRFGuard/issues/27 -Arian


On Tue, Aug 6, 2013 at 12:16 PM, P Manchanda <manchandap at yahoo.com> wrote:

Good to hear that people are working to fix this issue.


Else I would recommend creating a stand alone test bed that reproduces the problem and sharing it with the community. That would help to resolve the problem.

 
___________________ 
Thks & brgds 
P ManchandaMobile: +91-9811210374 


    
    From: Eric Sheridan
 <eric.sheridan at owasp.org>
 To: owasp-csrfguard at lists.owasp.org 

 Sent: Tuesday, 6 August 2013, 20:10
 Subject: Re: [Owasp-csrfguard] Issue with IE8
  
 
There are some folks helping to resolve this issue as we speak. I don't
believe the code has been committed yet but the 'HijackExplorer' code in
the JavaScript file messes things up now as IE has moved to

XMLHTTPRequest instead of the ActiveX approach.

Sincerely,
Eric Sheridan
(twitter) @eric_sheridan
(blog) http://ericsheridan.blogspot.com


On 8/6/13 9:19 AM, Tom Barber wrote:
> As I mentioned before I found that csrfguard does not work correctly
> with ie8 when it comes to ajax requests. 
>
 Thanks
> Tom
> 
> On Aug 6, 2013 9:44 AM, "Unmesh Desale" <Unmesh_Desale at symantec.com
> <mailto:Unmesh_Desale at symantec.com>> wrote:

> 
>     Yes it is the injection of tokens into links etc… not getting any
>     error for ajax request. I am not able to see any CSRF token in IE8.____
> 
>     __ __
> 
>     *Thanks,____*

> 
>     *Unmesh Desale
>     **__________________________________**____*
> 
>      ____
> 
>     *Office:* +91 20 40754 4823  *Mobile: *+91 9657725432

>     <tel:%2B91%209657725432>* _
>     _unmesh_desale at symantec.com <mailto:unmesh_desale at symantec.com>*

>     *__________________________________**____*
> 
>     __ __
> 
>     __ __
> 
>     *From:*Tom Barber [mailto:tom.a.barber at gmail.com

>     <mailto:tom.a.barber at gmail.com>]
>     *Sent:* Tuesday, August 06, 2013 1:57 PM
>     *To:* Unmesh Desale
>     *Cc:* owasp-csrfguard at lists.owasp.org

>     <mailto:owasp-csrfguard at lists.owasp.org>; Rajesh Punjabi
>     *Subject:* Re: [Owasp-csrfguard] Issue with IE8____
> 
>     __ __

> 
>     Is it the injection of tokens into links etc or ajax requests that
>     is failing? I found that xmlhttprequest injection doesn't work in
>     <ie9____
> 
>     On Aug 6, 2013 6:34 AM, "Unmesh Desale" <Unmesh_Desale at symantec.com

>     <mailto:Unmesh_Desale at symantec.com>>
 wrote:____
> 
>     Hi Rajesh,____
> 
>      ____
> 
>     Tried the below solution but it is still not able to inject the
>     token. Whenever I am placing one alert message in that function then

>     I am able to see CRSF token in resulting html (IE8).____
> 
>      ____
> 
>     element.setAttribute(attr, location);____
> 
>     alert('token injected:' + value);____

> 
>      ____
> 
>     Below are my settings for servelet in web.xml;____
> 
>      ____
> 
>     _<servlet>_____
> 
>                 <servlet-name>JavaScriptServlet</servlet-name>____

> 
>             
   
>     <servlet-class>org.owasp.csrfguard.servlet.JavaScriptServlet</servlet-class>____
> 
>                 <init-_param_>____
> 
>                       <param-name>source-file</param-name>____

> 
>                      
>     <param-value>WEB-INF/Owasp.CsrfGuard.js</param-value>____
> 
>                 </init-_param_>____
> 
>                 <init-_param_>____

> 
>                       <param-name>inject-into-forms</param-name>____
> 
>           
            <param-value>true</param-value>____
> 
>                 </init-_param_>____
> 
>                 <init-_param_>____
> 
>                       <param-name>inject-into-attributes</param-name>____

> 
>                       <param-value>true</param-value>____
> 
>                 </init-_param_>____
> 
>                 <init-_param_>____
> 
>                       <param-name>domain-strict</param-name>____

> 
>     
                  <param-value>true</param-value>____
> 
>                 </init-_param_>____
> 
>                 <init-_param_>____
> 
>                       <param-name>_referer_-pattern</param-name>____

> 
>                       <param-value>.*_localhost_:8080.*</param-value>____
> 
>                 </init-_param_>           ____
> 
>     _</servlet>_____
> 

>      ____
> 
>     Below are settings for CSRF Guard Properties:____
> 
>     
 ____
> 
>      ____
> 
>     org.owasp.csrfguard.Logger=org.owasp.csrfguard.log.ConsoleLogger____
> 
>      ____
> 
>     org.owasp.csrfguard.TokenPerPage=true____
> 

>     org.owasp.csrfguard.TokenPerPagePrecreate=false____
> 
>      ____
> 
>     org.owasp.csrfguard.Ajax=true____
> 
>      ____
> 
>     org.owasp.csrfguard.unprotected.Default=/appliance____

> 
>     org.owasp.csrfguard.unprotected.JavaScriptServlet=/appliance/JavaScriptServlet____
> 
>     org.owasp.csrfguard.unprotected.JavaScript=*.js____
> 
>     org.owasp.csrfguard.unprotected.css=*.css____

> 
>     org.owasp.csrfguard.unprotected.html=*.html____
> 
>    
 org.owasp.csrfguard.unprotected.png=*.png____
> 
>     org.owasp.csrfguard.unprotected.jpg=*.jpg____
> 
>     org.owasp.csrfguard.unprotected.ico=*.ico____
> 
>     org.owasp.csrfguard.unprotected.gif=*.gif____

> 
>     org.owasp.csrfguard.unprotected.Tag=/tag.jsp____
> 
>     org.owasp.csrfguard.unprotected.jsp=*.jsp____
> 
>     org.owasp.csrfguard.unprotected.Error=/appliance/error.html____

> 
>     org.owasp.csrfguard.unprotected.Patch=/appliance/manage.appliance.patch.details.do
>     <http://manage.appliance.patch.details.do>____

> 
>     org.owasp.csrfguard.unprotected.SecurityEdit=/appliance/settings.appreconfig.security.edit.do
>     <http://settings.appreconfig.security.edit.do>____

> 
>     org.owasp.csrfguard.unprotected.launchInitConfig=/appliance/launch.configure.appliance.do
>     <http://launch.configure.appliance.do>____

> 
>      ____
> 
>     org.owasp.csrfguard.action.Log=org.owasp.csrfguard.action.Log____
> 
>     org.owasp.csrfguard.action.Log.Message=potential cross-site request
>     forgery (CSRF) attack thwarted (user:%user%, ip:%remote_ip%,

>     uri:%request_uri%, error:%exception_message%)____
> 
>      ____
> 
>     org.owasp.csrfguard.action.Redirect=org.owasp.csrfguard.action.Redirect____
> 
>    
 org.owasp.csrfguard.action.Redirect.Page=/appliance/error.html____
> 
>     org.owasp.csrfguard.action.Rotate=org.owasp.csrfguard.action.Rotate____
> 
>      ____
> 
>     org.owasp.csrfguard.TokenName=OWASP_CSRFTOKEN____

> 
>      ____
> 
>     org.owasp.csrfguard.SessionKey=OWASP_CSRFTOKEN____
> 
>      ____
> 
>      ____
> 
>     org.owasp.csrfguard.TokenLength=32____
> 

>      ____
> 
>     org.owasp.csrfguard.PRNG=SHA1PRNG____
> 
>      ____
> 
>     *Thanks,*____
> 
>     *Unmesh Desale
>     **__________________________________*____

> 
>      ____
> 
>     *Office:* +91
 20 40754 4823  *Mobile: *+91 9657725432
>     <tel:%2B91%209657725432>* _
>     _unmesh_desale at symantec.com <mailto:unmesh_desale at symantec.com>*

>     *__________________________________*____
> 
>      ____
> 
>      ____
> 
>     *From:*Rajesh Punjabi [mailto:rajesh_punjabi at hotmail.com

>     <mailto:rajesh_punjabi at hotmail.com>]
>     *Sent:* Monday, August 05, 2013 10:44 PM
>     *To:* Unmesh
 Desale; owasp-csrfguard at lists.owasp.org
>     <mailto:owasp-csrfguard at lists.owasp.org>

>     *Subject:* RE: [Owasp-csrfguard] Issue with IE8____
> 
>      ____
> 
>     I got into the same issue and here is what I wrote earlier on a
>     thread.____
> 
>      ____

> 
>     It seems when the JavaScriptServlet injects tokens to all the
>     elements in the DOM, it also attaches the token to <script src=''>
>     and <link href=''>.____

> 
>     In IE8 the browser loads all the css files and JS files twice.  This
>    
 seems to screw up things.____
> 
>     You could try to make the INJECT_ATTRIBUTES parameter as false.____
> 
>      ____
> 
>     Alternatively, if you think this may break some functionality you

>     desire then in the injectTokenAttribute() method I added the
>     following line. (more of a hack)____
> 
>     if(location != null && isValidUrl(location) &&
>     !location.toLowerCase().endsWith(".css") &&

>     !location.toLowerCase().endsWith(".js") &&
>     !location.toLowerCase().endsWith("javascriptservlet")) {____
> 
>         var uri = parseUri(location);____
> 

>         .....................____
> 
>     }____
> 
>     
 ____
> 
>     So basically for js, css files we shouldn't need to attach the
>     CSRFTOKEN attribute.____
> 
>      ____
> 
>     HTH____
> 
>      ____
> 

>     Best,
>     Rajesh____
> 
>      ____
> 
>     ------------------------------------------------------------------------
> 
>     From: Unmesh_Desale at symantec.com <mailto:Unmesh_Desale at symantec.com>

>     To: owasp-csrfguard at lists.owasp.org
>    
 <mailto:owasp-csrfguard at lists.owasp.org>
>     Date: Mon, 5 Aug 2013 05:41:03 -0700
>     Subject: [Owasp-csrfguard] Issue with IE8____

> 
>     Hi All,____
> 
>      ____
> 
>     I have configured OWASP CSRFGuard for my project. It is working fine
>     when I am browsing my site using Firefox Mozilla but same site

>     doesn’t not work when I browse it through IE 8. This module is not
>     able to inject CSRF token for IE8.____
> 
>      ____
> 
>     Is this module works (supports) IE8 and higher versions? Is it

>     cross-browser compatible?____
> 
>      ____
> 
>     Please
 suggest me some solution. I am in urgent need of help.____
> 
>      ____
> 
>      ____
> 
>     *Thanks,*____
> 
>     *Unmesh Desale
>     **__________________________________*____

> 
>      ____
> 
>     *Office:* +91 20 40754 4823  *Mobile: *+91 9657725432
>     <tel:%2B91%209657725432>* _

>     _unmesh_desale at symantec.com <mailto:unmesh_desale at symantec.com>*
>     *__________________________________*____

> 
>      ____
> 
>      ____
> 
> 
>    
 _______________________________________________ Owasp-csrfguard
>     mailing list Owasp-csrfguard at lists.owasp.org
>     <mailto:Owasp-csrfguard at lists.owasp.org>

>     https://lists.owasp.org/mailman/listinfo/owasp-csrfguard____
> 
> 
>     _______________________________________________

>     Owasp-csrfguard mailing list
>     Owasp-csrfguard at lists.owasp.org <mailto:Owasp-csrfguard at lists.owasp.org>

>     https://lists.owasp.org/mailman/listinfo/owasp-csrfguard____
> 
> 
> 
> _______________________________________________

> Owasp-csrfguard mailing list
> Owasp-csrfguard at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-csrfguard

> 
_______________________________________________
Owasp-csrfguard mailing list
Owasp-csrfguard at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-csrfguard


    
_______________________________________________

Owasp-csrfguard mailing list

Owasp-csrfguard at lists.owasp.org

https://lists.owasp.org/mailman/listinfo/owasp-csrfguard





_______________________________________________
Owasp-csrfguard mailing list
Owasp-csrfguard at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-csrfguard 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-csrfguard/attachments/20130806/42b6160c/attachment-0001.html>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: Owasp.CsrfGuard.js.txt
URL: <http://lists.owasp.org/pipermail/owasp-csrfguard/attachments/20130806/42b6160c/attachment-0001.txt>


More information about the Owasp-csrfguard mailing list