[Owasp-csrfguard] Issue with IE8

Unmesh Desale Unmesh_Desale at symantec.com
Wed Aug 7 12:44:43 UTC 2013


Thanks Rajesh.... I tried your script.

This script is able to inject CSRF token in page rendered in IE8 but it is not able to send the same token in AJAX as well as simple POST request.

I am not even able to login to the site in IE 8 and same configurations/settings (scripts) are working perfectly fine in Mozilla Firefox 22.0.

Thanks Arian.....

But in our project we are not using JQuery... :(




Thanks,
Unmesh Desale
________________________________

Office: +91 20 40754 4823  Mobile: +91 9657725432
unmesh_desale at symantec.com
________________________________


From: owasp-csrfguard-bounces at lists.owasp.org [mailto:owasp-csrfguard-bounces at lists.owasp.org] On Behalf Of Rajesh Punjabi
Sent: Tuesday, August 06, 2013 11:39 PM
To: Arian; owasp-csrfguard at lists.owasp.org
Subject: Re: [Owasp-csrfguard] Issue with IE8

Unmesh,
Try with the attached js file.
Thanks,
Rajesh
________________________________
Date: Tue, 6 Aug 2013 12:58:58 -0400
From: armyofda12mnkeys at gmail.com
To: owasp-csrfguard at lists.owasp.org
Subject: Re: [Owasp-csrfguard] Issue with IE8
Do you get this same IE8 error when you use Developer Tools in IE9 to simulate 8 via the Browser Mode/Document Mode dropdown?
Im only asking cause I've tested ajax requests on our site via that way for IE8 and never had issues...

my main configuration settings are:
org.owasp.csrfguard.TokenPerPage=true
org.owasp.csrfguard.Ajax=true


Also found it more dependable to have the Owasp.CsrfGuard.js file loaded via jquery onload (otherwise in my slow browser which is filled with 10-15 programming related tabs, the token isn't injected in time)... My updates for that are here if anyone interested:
https://github.com/esheri3/OWASP-CSRFGuard/issues/27

-Arian


On Tue, Aug 6, 2013 at 12:16 PM, P Manchanda <manchandap at yahoo.com<mailto:manchandap at yahoo.com>> wrote:
Good to hear that people are working to fix this issue.

Else I would recommend creating a stand alone test bed that reproduces the problem and sharing it with the community. That would help to resolve the problem.



___________________
Thks & brgds
P Manchanda
Mobile: +91-9811210374

________________________________
From: Eric Sheridan <eric.sheridan at owasp.org<mailto:eric.sheridan at owasp.org>>
To: owasp-csrfguard at lists.owasp.org<mailto:owasp-csrfguard at lists.owasp.org>
Sent: Tuesday, 6 August 2013, 20:10

Subject: Re: [Owasp-csrfguard] Issue with IE8

There are some folks helping to resolve this issue as we speak. I don't
believe the code has been committed yet but the 'HijackExplorer' code in
the JavaScript file messes things up now as IE has moved to
XMLHTTPRequest instead of the ActiveX approach.

Sincerely,
Eric Sheridan
(twitter) @eric_sheridan
(blog) http://ericsheridan.blogspot.com<http://ericsheridan.blogspot.com/>

On 8/6/13 9:19 AM, Tom Barber wrote:
> As I mentioned before I found that csrfguard does not work correctly
> with ie8 when it comes to ajax requests.
> Thanks
> Tom
>
> On Aug 6, 2013 9:44 AM, "Unmesh Desale" <Unmesh_Desale at symantec.com<mailto:Unmesh_Desale at symantec.com>
> <mailto:Unmesh_Desale at symantec.com<mailto:Unmesh_Desale at symantec.com>>> wrote:
>
>    Yes it is the injection of tokens into links etc... not getting any
>    error for ajax request. I am not able to see any CSRF token in IE8.____
>
>    __ __
>
>    *Thanks,____*
>
>    *Unmesh Desale
>    **__________________________________**____*
>
>      ____
>
>    *Office:* +91 20 40754 4823  *Mobile: *+91 9657725432
>    <tel:%2B91%209657725432>* _
>    _unmesh_desale at symantec.com<mailto:_unmesh_desale at symantec.com> <mailto:unmesh_desale at symantec.com<mailto:unmesh_desale at symantec.com>>*
>    *__________________________________**____*
>
>    __ __
>
>    __ __
>
>    *From:*Tom Barber [mailto:tom.a.barber at gmail.com<mailto:tom.a.barber at gmail.com>
>    <mailto:tom.a.barber at gmail.com<mailto:tom.a.barber at gmail.com>>]
>    *Sent:* Tuesday, August 06, 2013 1:57 PM
>    *To:* Unmesh Desale
>    *Cc:* owasp-csrfguard at lists.owasp.org<mailto:owasp-csrfguard at lists.owasp.org>
>    <mailto:owasp-csrfguard at lists.owasp.org<mailto:owasp-csrfguard at lists.owasp.org>>; Rajesh Punjabi
>    *Subject:* Re: [Owasp-csrfguard] Issue with IE8____
>
>    __ __
>
>    Is it the injection of tokens into links etc or ajax requests that
>    is failing? I found that xmlhttprequest injection doesn't work in
>    <ie9____
>
>    On Aug 6, 2013 6:34 AM, "Unmesh Desale" <Unmesh_Desale at symantec.com<mailto:Unmesh_Desale at symantec.com>
>    <mailto:Unmesh_Desale at symantec.com<mailto:Unmesh_Desale at symantec.com>>> wrote:____
>
>    Hi Rajesh,____
>
>      ____
>
>    Tried the below solution but it is still not able to inject the
>    token. Whenever I am placing one alert message in that function then
>    I am able to see CRSF token in resulting html (IE8).____
>
>      ____
>
>    element.setAttribute(attr, location);____
>
>    alert('token injected:' + value);____
>
>      ____
>
>    Below are my settings for servelet in web.xml;____
>
>      ____
>
>    _<servlet>_____
>
>                <servlet-name>JavaScriptServlet</servlet-name>____
>
>
>    <servlet-class>org.owasp.csrfguard.servlet.JavaScriptServlet</servlet-class>____
>
>                <init-_param_>____
>
>                      <param-name>source-file</param-name>____
>
>
>    <param-value>WEB-INF/Owasp.CsrfGuard.js</param-value>____
>
>                </init-_param_>____
>
>                <init-_param_>____
>
>                      <param-name>inject-into-forms</param-name>____
>
>                      <param-value>true</param-value>____
>
>                </init-_param_>____
>
>                <init-_param_>____
>
>                      <param-name>inject-into-attributes</param-name>____
>
>                      <param-value>true</param-value>____
>
>                </init-_param_>____
>
>                <init-_param_>____
>
>                      <param-name>domain-strict</param-name>____
>
>                      <param-value>true</param-value>____
>
>                </init-_param_>____
>
>                <init-_param_>____
>
>                      <param-name>_referer_-pattern</param-name>____
>
>                      <param-value>.*_localhost_:8080.*</param-value>____
>
>                </init-_param_>          ____
>
>    _</servlet>_____
>
>      ____
>
>    Below are settings for CSRF Guard Properties:____
>
>      ____
>
>      ____
>
>    org.owasp.csrfguard.Logger=org.owasp.csrfguard.log.ConsoleLogger____
>
>      ____
>
>    org.owasp.csrfguard.TokenPerPage=true____
>
>    org.owasp.csrfguard.TokenPerPagePrecreate=false____
>
>      ____
>
>    org.owasp.csrfguard.Ajax=true____
>
>      ____
>
>    org.owasp.csrfguard.unprotected.Default=/appliance____
>
>    org.owasp.csrfguard.unprotected.JavaScriptServlet=/appliance/JavaScriptServlet____
>
>    org.owasp.csrfguard.unprotected.JavaScript=*.js____
>
>    org.owasp.csrfguard.unprotected.css=*.css____
>
>    org.owasp.csrfguard.unprotected.html=*.html____
>
>    org.owasp.csrfguard.unprotected.png=*.png____
>
>    org.owasp.csrfguard.unprotected.jpg=*.jpg____
>
>    org.owasp.csrfguard.unprotected.ico=*.ico____
>
>    org.owasp.csrfguard.unprotected.gif=*.gif____
>
>    org.owasp.csrfguard.unprotected.Tag=/tag.jsp____
>
>    org.owasp.csrfguard.unprotected.jsp=*.jsp____
>
>    org.owasp.csrfguard.unprotected.Error=/appliance/error.html____
>
>    org.owasp.csrfguard.unprotected.Patch=/appliance/manage.appliance.patch.details.do<http://manage.appliance.patch.details.do>
>    <http://manage.appliance.patch.details.do<http://manage.appliance.patch.details.do/>>____
>
>    org.owasp.csrfguard.unprotected.SecurityEdit=/appliance/settings.appreconfig.security.edit.do<http://settings.appreconfig.security.edit.do>
>    <http://settings.appreconfig.security.edit.do<http://settings.appreconfig.security.edit.do/>>____
>
>    org.owasp.csrfguard.unprotected.launchInitConfig=/appliance/launch.configure.appliance.do<http://launch.configure.appliance.do>
>    <http://launch.configure.appliance.do<http://launch.configure.appliance.do/>>____
>
>      ____
>
>    org.owasp.csrfguard.action.Log=org.owasp.csrfguard.action.Log____
>
>    org.owasp.csrfguard.action.Log.Message=potential cross-site request
>    forgery (CSRF) attack thwarted (user:%user%, ip:%remote_ip%,
>    uri:%request_uri%, error:%exception_message%)____
>
>      ____
>
>    org.owasp.csrfguard.action.Redirect=org.owasp.csrfguard.action.Redirect____
>
>    org.owasp.csrfguard.action.Redirect.Page=/appliance/error.html____
>
>    org.owasp.csrfguard.action.Rotate=org.owasp.csrfguard.action.Rotate____
>
>      ____
>
>    org.owasp.csrfguard.TokenName=OWASP_CSRFTOKEN____
>
>      ____
>
>    org.owasp.csrfguard.SessionKey=OWASP_CSRFTOKEN____
>
>      ____
>
>      ____
>
>    org.owasp.csrfguard.TokenLength=32____
>
>      ____
>
>    org.owasp.csrfguard.PRNG=SHA1PRNG____
>
>      ____
>
>    *Thanks,*____
>
>    *Unmesh Desale
>    **__________________________________*____
>
>      ____
>
>    *Office:* +91 20 40754 4823  *Mobile: *+91 9657725432
>    <tel:%2B91%209657725432>* _
>    _unmesh_desale at symantec.com<mailto:_unmesh_desale at symantec.com> <mailto:unmesh_desale at symantec.com<mailto:unmesh_desale at symantec.com>>*
>    *__________________________________*____
>
>      ____
>
>      ____
>
>    *From:*Rajesh Punjabi [mailto:rajesh_punjabi at hotmail.com<mailto:rajesh_punjabi at hotmail.com>
>    <mailto:rajesh_punjabi at hotmail.com<mailto:rajesh_punjabi at hotmail.com>>]
>    *Sent:* Monday, August 05, 2013 10:44 PM
>    *To:* Unmesh Desale; owasp-csrfguard at lists.owasp.org<mailto:owasp-csrfguard at lists.owasp.org>
>    <mailto:owasp-csrfguard at lists.owasp.org<mailto:owasp-csrfguard at lists.owasp.org>>
>    *Subject:* RE: [Owasp-csrfguard] Issue with IE8____
>
>      ____
>
>    I got into the same issue and here is what I wrote earlier on a
>    thread.____
>
>      ____
>
>    It seems when the JavaScriptServlet injects tokens to all the
>    elements in the DOM, it also attaches the token to <script src=''>
>    and <link href=''>.____
>
>    In IE8 the browser loads all the css files and JS files twice.  This
>    seems to screw up things.____
>
>    You could try to make the INJECT_ATTRIBUTES parameter as false.____
>
>      ____
>
>    Alternatively, if you think this may break some functionality you
>    desire then in the injectTokenAttribute() method I added the
>    following line. (more of a hack)____
>
>    if(location != null && isValidUrl(location) &&
>    !location.toLowerCase().endsWith(".css") &&
>    !location.toLowerCase().endsWith(".js") &&
>    !location.toLowerCase().endsWith("javascriptservlet")) {____
>
>        var uri = parseUri(location);____
>
>        .....................____
>
>    }____
>
>      ____
>
>    So basically for js, css files we shouldn't need to attach the
>    CSRFTOKEN attribute.____
>
>      ____
>
>    HTH____
>
>      ____
>
>    Best,
>    Rajesh____
>
>      ____
>
>    ------------------------------------------------------------------------
>
>    From: Unmesh_Desale at symantec.com<mailto:Unmesh_Desale at symantec.com> <mailto:Unmesh_Desale at symantec.com<mailto:Unmesh_Desale at symantec.com>>
>    To: owasp-csrfguard at lists.owasp.org<mailto:owasp-csrfguard at lists.owasp.org>
>    <mailto:owasp-csrfguard at lists.owasp.org<mailto:owasp-csrfguard at lists.owasp.org>>
>    Date: Mon, 5 Aug 2013 05:41:03 -0700
>    Subject: [Owasp-csrfguard] Issue with IE8____
>
>    Hi All,____
>
>      ____
>
>    I have configured OWASP CSRFGuard for my project. It is working fine
>    when I am browsing my site using Firefox Mozilla but same site
>    doesn't not work when I browse it through IE 8. This module is not
>    able to inject CSRF token for IE8.____
>
>      ____
>
>    Is this module works (supports) IE8 and higher versions? Is it
>    cross-browser compatible?____
>
>      ____
>
>    Please suggest me some solution. I am in urgent need of help.____
>
>      ____
>
>      ____
>
>    *Thanks,*____
>
>    *Unmesh Desale
>    **__________________________________*____
>
>      ____
>
>    *Office:* +91 20 40754 4823  *Mobile: *+91 9657725432
>    <tel:%2B91%209657725432>* _
>    _unmesh_desale at symantec.com<mailto:_unmesh_desale at symantec.com> <mailto:unmesh_desale at symantec.com<mailto:unmesh_desale at symantec.com>>*
>    *__________________________________*____
>
>      ____
>
>      ____
>
>
>    _______________________________________________ Owasp-csrfguard
>    mailing list Owasp-csrfguard at lists.owasp.org<mailto:Owasp-csrfguard at lists.owasp.org>
>    <mailto:Owasp-csrfguard at lists.owasp.org<mailto:Owasp-csrfguard at lists.owasp.org>>
>    https://lists.owasp.org/mailman/listinfo/owasp-csrfguard____
>
>
>    _______________________________________________
>    Owasp-csrfguard mailing list
>    Owasp-csrfguard at lists.owasp.org<mailto:Owasp-csrfguard at lists.owasp.org> <mailto:Owasp-csrfguard at lists.owasp.org<mailto:Owasp-csrfguard at lists.owasp.org>>
>    https://lists.owasp.org/mailman/listinfo/owasp-csrfguard____
>
>
>
> _______________________________________________
> Owasp-csrfguard mailing list
> Owasp-csrfguard at lists.owasp.org<mailto:Owasp-csrfguard at lists.owasp.org>
> https://lists.owasp.org/mailman/listinfo/owasp-csrfguard
>
_______________________________________________
Owasp-csrfguard mailing list
Owasp-csrfguard at lists.owasp.org<mailto:Owasp-csrfguard at lists.owasp.org>
https://lists.owasp.org/mailman/listinfo/owasp-csrfguard

_______________________________________________
Owasp-csrfguard mailing list
Owasp-csrfguard at lists.owasp.org<mailto:Owasp-csrfguard at lists.owasp.org>
https://lists.owasp.org/mailman/listinfo/owasp-csrfguard


_______________________________________________ Owasp-csrfguard mailing list Owasp-csrfguard at lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-csrfguard
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-csrfguard/attachments/20130807/c991387d/attachment-0001.html>


More information about the Owasp-csrfguard mailing list