[Owasp-csrfguard] can't get it to work

Tom Barber tom.a.barber at gmail.com
Tue Jul 16 23:26:30 UTC 2013


Hi Ray, Glad that helped!

 

I'm no expert in CSRFGuard (only started trying it out myself recently as a
POC), but when I faced a similar issue I decided that I didn't really care
about protecting images, so what I did was use the:

 

# Case 2: longest path prefix match, beginning / and ending /*

So in the example you provided, that would be:

 

"/img/*"

 

This unprotects all files within the img directory. Another option would be
for:

# Case 3: extension match, beginning *.

"*.gif" for each img extension type, perhaps useful if you have images in
many different locations - though your example suggests otherwise.

 

As for leaving the login page unprotected, I don't think that is a problem
(again, im no expert though..) a CSRF attack against a login page would only
be able to potentially log a user into the application if valid parameters
are supplied in the malicious request and valid users need to be able to
access the site via the login screen and they wont have a token when they
first visit -  though I'm not familiar with the newtokenlandingpage, which
could be the alternative solution for all I know :)

 

Good luck!

 

Tom

 

From: ray at allthisisthat.com [mailto:ray at allthisisthat.com] 
Sent: 16 July 2013 23:30
To: Tom Barber
Cc: Clough_Ray_allthisisthat; owasp-csrfguard at lists.owasp.org
Subject: RE: [Owasp-csrfguard] can't get it to work

 

You Rule!  It does indeed work, but now all my requests for images, css, etc
all fail with missing token messages.  I tried adding the config property
org.owasp.csrfguard.Ajax=true, but this makes no difference.  I still get a
ton of messages like: Potential Cross-Site Request Forgery (CSRF) attack
thwarted (user:<anonymous>, ip:127.0.0.1, uri:/drbms/img/sort_down.gif,
error:required token is missing from the request).  What am I missing now?
Any ideas?

Also, I am now leaving the login page unprotected, which can't be a very
good idea.  Is there a better method using the NewTokenLandingPage?  I still
have that config setting, but it never goes there.  Should the
NewTokenLandingPage redirect to the login page, or what does it do?  There
isn't much discussion of this in the documentation, AFAIK.

Thanks very much for the help so far - there was some danger of me going
berserk, which is now receding into the distance.

- Ray Clough

 


---------------------------- Original Message ----------------------------
Subject: RE: [Owasp-csrfguard] can't get it to work
From: "Tom Barber" 
Date: Tue, July 16, 2013 2:30 pm
To: ray at allthisisthat.com <mailto:ray at allthisisthat.com> 
owasp-csrfguard at lists.owasp.org <mailto:owasp-csrfguard at lists.owasp.org> 
--------------------------------------------------------------------------

{C} 

Hi Ray,

 

I'm not certain this is the case, but I believe I know the problem. If you
look at the comments above the unprotected section of the property files the
options it gives you are:

 

# Case 1: exact match between request uri and unprotected page

# Case 2: longest path prefix match, beginning / and ending /*

# Case 3: extension match, beginning *.

# Default: requested resource must be validated by CSRFGuard

 

In your case you seem to have used wildcard in an unsupported manner
"/login*" . Perhaps you could specify the exact uri "drbms/login.seam"

 

Let me know if you have any luck.

 

Thanks

 

Tom

 

From:  <mailto:owasp-csrfguard-bounces at lists.owasp.org>
owasp-csrfguard-bounces at lists.owasp.org [
<mailto:owasp-csrfguard-bounces at lists.owasp.org>
mailto:owasp-csrfguard-bounces at lists.owasp.org] On Behalf Of
<mailto:ray at allthisisthat.com> ray at allthisisthat.com
Sent: 16 July 2013 21:44
To:  <mailto:owasp-csrfguard at lists.owasp.org>
owasp-csrfguard at lists.owasp.org
Subject: [Owasp-csrfguard] can't get it to work

 

I am unable to get the CsrfGuard filter to work.  Regardless of the
properties I set, the app tries to go to the login page, and I get this log
message:

[Tue Jul 16 13:08:38 PDT 2013] [Error] Potential Cross-Site Request Forgery
(CSRF) attack thwarted (user:<anonymous>, ip:127.0.0.1,
uri:/drbms/login.seam, error:required token is missing from the request)

Obviously I am doing something wrong.  Here is my configuration file

org.owasp.csrfguard.Logger=org.owasp.csrfguard.log.ConsoleLogger
org.owasp.csrfguard.UseNewTokenLandingPage=true
org.owasp.csrfguard.NewTokenLandingPage=/NewTokenLandingPage.html
org.owasp.csrfguard.TokenPerPage=true
org.owasp.csrfguard.TokenPerPagePrecreate=false
org.owasp.csrfguard.Ajax=false
org.owasp.csrfguard.unprotected.Index=/login*
org.owasp.csrfguard.action.Log=org.owasp.csrfguard.action.Log
org.owasp.csrfguard.action.Log.Message=Potential Cross-Site Request Forgery
(CSRF) attack thwarted (user:%user%, ip:%remote_ip%, uri:%request_uri%,
error:%exception_message%)
org.owasp.csrfguard.TokenName=OWASP_CSRFTOKEN
org.owasp.csrfguard.SessionKey=OWASP_CSRFTOKEN
org.owasp.csrfguard.TokenLength=32
org.owasp.csrfguard.PRNG=SHA1PRNG

When the server starts, I see the config properties output to the console,
so I know the config file is being read correctly.

I have tried various combinations of using a NewTokenLandingPage with the
login page protected, and un-protecting the login page but not using a New
Token Landing Page.  Also, I have seen no info on what the New Token Landing
Page needs to do - If I can ever get it to appear, my guess is that it needs
to redirect to the login page.  Is that correct?  Also, all the examples use
jsp, not facelets.  Are there any issues with this difference?  I built the
project from source using the latest code.

Any help you could offer would be greatly appreciated.

 

Thank you,

Ray Clough

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-csrfguard/attachments/20130717/ba23fb5f/attachment.html>


More information about the Owasp-csrfguard mailing list