[Owasp-csrfguard] can't get it to work

Tom Barber tom.a.barber at gmail.com
Wed Jul 17 23:01:03 UTC 2013


Yeah, I’ve thought the same. The only reason I found out about the precise required nature of the expressions was through trying to do the same as you.

 

Glad you got it up and running ok.

 

Tom

 

From: ray at allthisisthat.com [mailto:ray at allthisisthat.com] 
Sent: 17 July 2013 22:38
To: Manish Java
Cc: Clough_Ray_allthisisthat; owasp-csrfguard at lists.owasp.org; tom.a.barber at gmail.com
Subject: RE: [Owasp-csrfguard] can't get it to work

 

Thanks very much.  I got it going now.  Too bad Expression Language tags not allowed, and also would be nice to allow something like /myapp/something/*.xyz or 'myapp/*/*.xyz.  Then we could do /myapp/*/*.css, for example, to allow css coming from libraries to be allowed, but still not specifying *.css, which allows css from anywhere.  Same is true, of course for images and js, etc.  But we can't have everything, or at least so I've been told (and I always believe what people tell me).  Maybe there are good reasons for the strictness of the three allowed patterns which I don't yet understand.

- Ray Clough


---------------------------- Original Message ----------------------------
Subject: RE: [Owasp-csrfguard] can't get it to work
From: "Manish Java" 
Date: Tue, July 16, 2013 11:14 pm
To: ray at allthisisthat.com <mailto:ray at allthisisthat.com> 
Cc: owasp-csrfguard at lists.owasp.org <mailto:owasp-csrfguard at lists.owasp.org> 
tom.a.barber at gmail.com <mailto:tom.a.barber at gmail.com> 
--------------------------------------------------------------------------

{C}

Hi Ray

I have found the following steps to be useful when working with CSRFGuard:

 

1.      Find out the context root for the application (say, / or /myapp or /drbms in your case);

2.      Decide on which resources you would like to protect;

3.      Decide on which resources you do not need to protect (possibly images, CSS files, JavaScript files, plain HTML files, etc.);

4.      First configure the unprotected resources in the CSRFGuard configuration file, using org.owasp.csrfguard.unprotected configuration directives.  Make sure that you prefix the URLs with the context root.  An example configuration is given below:

org.owasp.csrfguard.unprotected.CSS=/myapp/css/*
org.owasp.csrfguard.unprotected.HTML=/myapp/html/*
org.owasp.csrfguard.unprotected.Image=/myapp/image/*
org.owasp.csrfguard.unprotected.JavaScript=/myapp/script/*
org.owasp.csrfguard.unprotected.PDF=/myapp/pdf/*

5.      Add configuration settings for the protected resources, as per application requirements.

 

In our application we typically do the following:

 

1.      Configure the application root (/) as the new token landing page.  All this does is to ensure that any malicious attacker looking to target a specific page in any possible way is automatically redirected to the application’s home page (/).  In our applications the home page either does not present any sensitive data or automatically redirects to the login page, depending on the application.

2.      We typically leave the login page unprotected as many users of our applications are likely to bookmark the login page.  In any case, the login page does not have any sensitive information so it is fine to leave it unprotected.

3.      Our CSRFGuard properties file is generated on a per-environment through our Maven build.  This allows us to use different context roots for different environments and frees us up from having to maintain separate properties files.

 

If you have any further questions, please feel free to reply to this thread.  I will be happy to take a look at any issue you might be facing with CSRFGuard.

 

Cheers

~ Manish

 

Date: Wed, 17 Jul 2013 00:26:30 +0100

From: "Tom Barber" < <mailto:tom.a.barber at gmail.com> tom.a.barber at gmail.com>

To: < <mailto:ray at allthisisthat.com> ray at allthisisthat.com>

Cc:  <mailto:owasp-csrfguard at lists.owasp.org> owasp-csrfguard at lists.owasp.org

Subject: Re: [Owasp-csrfguard] can't get it to work

Message-ID: < <mailto:[email protected]> [email protected]>

Content-Type: text/plain; charset="us-ascii"

Hi Ray, Glad that helped!

 

I'm no expert in CSRFGuard (only started trying it out myself recently as a POC), but when I faced a similar issue I decided that I didn't really care about protecting images, so what I did was use the:

 

# Case 2: longest path prefix match, beginning / and ending /*

So in the example you provided, that would be:

 

"/img/*"

 

This unprotects all files within the img directory. Another option would be

for:

# Case 3: extension match, beginning *.

"*.gif" for each img extension type, perhaps useful if you have images in many different locations - though your example suggests otherwise.

 

As for leaving the login page unprotected, I don't think that is a problem (again, im no expert though..) a CSRF attack against a login page would only be able to potentially log a user into the application if valid parameters are supplied in the malicious request and valid users need to be able to access the site via the login screen and they wont have a token when they first visit -  though I'm not familiar with the newtokenlandingpage, which could be the alternative solution for all I know :)

 

Good luck!

 

Tom

 

From:  <mailto:ray at allthisisthat.com> ray at allthisisthat.com [ <mailto:ray at allthisisthat.com> mailto:ray at allthisisthat.com]

Sent: 16 July 2013 23:30

To: Tom Barber

Cc: Clough_Ray_allthisisthat;  <mailto:owasp-csrfguard at lists.owasp.org> owasp-csrfguard at lists.owasp.org

Subject: RE: [Owasp-csrfguard] can't get it to work

 

You Rule!  It does indeed work, but now all my requests for images, css, etc all fail with missing token messages.  I tried adding the config property org.owasp.csrfguard.Ajax=true, but this makes no difference.  I still get a ton of messages like: Potential Cross-Site Request Forgery (CSRF) attack thwarted (user:, ip:127.0.0.1, uri:/drbms/img/sort_down.gif, error:required token is missing from the request).  What am I missing now?

Any ideas?

Also, I am now leaving the login page unprotected, which can't be a very good idea.  Is there a better method using the NewTokenLandingPage?  I still have that config setting, but it never goes there.  Should the NewTokenLandingPage redirect to the login page, or what does it do?  There isn't much discussion of this in the documentation, AFAIK.

Thanks very much for the help so far - there was some danger of me going berserk, which is now receding into the distance.

- Ray Clough

 

 

---------------------------- Original Message ----------------------------

Subject: RE: [Owasp-csrfguard] can't get it to work

From: "Tom Barber" 

Date: Tue, July 16, 2013 2:30 pm

To:  <mailto:ray at allthisisthat.com> ray at allthisisthat.com < <mailto:ray at allthisisthat.com> mailto:ray at allthisisthat.com>  <mailto:owasp-csrfguard at lists.owasp.org> owasp-csrfguard at lists.owasp.org < <mailto:owasp-csrfguard at lists.owasp.org> mailto:owasp-csrfguard at lists.owasp.org>

--------------------------------------------------------------------------

{C} 

Hi Ray,

 

I'm not certain this is the case, but I believe I know the problem. If you look at the comments above the unprotected section of the property files the options it gives you are:

 

# Case 1: exact match between request uri and unprotected page

# Case 2: longest path prefix match, beginning / and ending /*

# Case 3: extension match, beginning *.

# Default: requested resource must be validated by CSRFGuard

 

In your case you seem to have used wildcard in an unsupported manner "/login*" . Perhaps you could specify the exact uri "drbms/login.seam"

 

Let me know if you have any luck.

 

Thanks

 

Tom

 

From:  < <mailto:owasp-csrfguard-bounces at lists.owasp.org> mailto:owasp-csrfguard-bounces at lists.owasp.org>

 <mailto:owasp-csrfguard-bounces at lists.owasp.org> owasp-csrfguard-bounces at lists.owasp.org [ < <mailto:owasp-csrfguard-bounces at lists.owasp.org> mailto:owasp-csrfguard-bounces at lists.owasp.org>

 <mailto:owasp-csrfguard-bounces at lists.owasp.org> mailto:owasp-csrfguard-bounces at lists.owasp.org] On Behalf Of < <mailto:ray at allthisisthat.com> mailto:ray at allthisisthat.com>  <mailto:ray at allthisisthat.com> ray at allthisisthat.com

Sent: 16 July 2013 21:44

To:  < <mailto:owasp-csrfguard at lists.owasp.org> mailto:owasp-csrfguard at lists.owasp.org>

 <mailto:owasp-csrfguard at lists.owasp.org> owasp-csrfguard at lists.owasp.org

Subject: [Owasp-csrfguard] can't get it to work

 

I am unable to get the CsrfGuard filter to work.  Regardless of the properties I set, the app tries to go to the login page, and I get this log

message:

[Tue Jul 16 13:08:38 PDT 2013] [Error] Potential Cross-Site Request Forgery

(CSRF) attack thwarted (user:, ip:127.0.0.1, uri:/drbms/login.seam, error:required token is missing from the request)

Obviously I am doing something wrong.  Here is my configuration file

org.owasp.csrfguard.Logger=org.owasp.csrfguard.log.ConsoleLogger

org.owasp.csrfguard.UseNewTokenLandingPage=true

org.owasp.csrfguard.NewTokenLandingPage=/NewTokenLandingPage.html

org.owasp.csrfguard.TokenPerPage=true

org.owasp.csrfguard.TokenPerPagePrecreate=false

org.owasp.csrfguard.Ajax=false

org.owasp.csrfguard.unprotected.Index=/login*

org.owasp.csrfguard.action.Log=org.owasp.csrfguard.action.Log

org.owasp.csrfguard.action.Log.Message=Potential Cross-Site Request Forgery

(CSRF) attack thwarted (user:%user%, ip:%remote_ip%, uri:%request_uri%,

error:%exception_message%)

org.owasp.csrfguard.TokenName=OWASP_CSRFTOKEN

org.owasp.csrfguard.SessionKey=OWASP_CSRFTOKEN

org.owasp.csrfguard.TokenLength=32

org.owasp.csrfguard.PRNG=SHA1PRNG

When the server starts, I see the config properties output to the console, so I know the config file is being read correctly.

I have tried various combinations of using a NewTokenLandingPage with the login page protected, and un-protecting the login page but not using a New Token Landing Page.  Also, I have seen no info on what the New Token Landing Page needs to do - If I can ever get it to appear, my guess is that it needs to redirect to the login page.  Is that correct?  Also, all the examples use jsp, not facelets.  Are there any issues with this difference?  I built the project from source using the latest code.

Any help you could offer would be greatly appreciated.

 

Thank you,

Ray Clough

 

 

-------------- next part --------------

An HTML attachment was scrubbed...

URL: < <http://lists.owasp.org/pipermail/owasp-csrfguard/attachments/20130717/ba23fb5f/attachment-0001.html> http://lists.owasp.org/pipermail/owasp-csrfguard/attachments/20130717/ba23fb5f/attachment-0001.html>

------------------------------

Message: 2

Date: Wed, 17 Jul 2013 00:58:23 +0100

From: "Tom Barber" < <mailto:tom.a.barber at gmail.com> tom.a.barber at gmail.com>

To: < <mailto:ray at allthisisthat.com> ray at allthisisthat.com>

Cc:  <mailto:owasp-csrfguard at lists.owasp.org> owasp-csrfguard at lists.owasp.org

Subject: Re: [Owasp-csrfguard] can't get it to work

Message-ID: < <mailto:[email protected]> [email protected]>

Content-Type: text/plain; charset="us-ascii"

P.S. I meant "/drbms/img/*" - I found that you usually need to include the context root 

 

From: Tom Barber [ <mailto:tom.a.barber at gmail.com> mailto:tom.a.barber at gmail.com]

Sent: 17 July 2013 00:27

To:  <mailto:ray at allthisisthat.com> ray at allthisisthat.com

Cc:  <mailto:owasp-csrfguard at lists.owasp.org> owasp-csrfguard at lists.owasp.org

Subject: RE: [Owasp-csrfguard] can't get it to work

 

Hi Ray, Glad that helped!

 

I'm no expert in CSRFGuard (only started trying it out myself recently as a POC), but when I faced a similar issue I decided that I didn't really care about protecting images, so what I did was use the:

 

# Case 2: longest path prefix match, beginning / and ending /*

So in the example you provided, that would be:

 

"/img/*"

 

This unprotects all files within the img directory. Another option would be

for:

# Case 3: extension match, beginning *.

"*.gif" for each img extension type, perhaps useful if you have images in many different locations - though your example suggests otherwise.

 

As for leaving the login page unprotected, I don't think that is a problem (again, im no expert though..) a CSRF attack against a login page would only be able to potentially log a user into the application if valid parameters are supplied in the malicious request and valid users need to be able to access the site via the login screen and they wont have a token when they first visit -  though I'm not familiar with the newtokenlandingpage, which could be the alternative solution for all I know :)

 

Good luck!

 

Tom

 

From:  <mailto:ray at allthisisthat.com> ray at allthisisthat.com < <mailto:ray at allthisisthat.com> mailto:ray at allthisisthat.com> [ <mailto:ray at allthisisthat.com> mailto:ray at allthisisthat.com]

Sent: 16 July 2013 23:30

To: Tom Barber

Cc: Clough_Ray_allthisisthat;  <mailto:owasp-csrfguard at lists.owasp.org> owasp-csrfguard at lists.owasp.org < <mailto:owasp-csrfguard at lists.owasp.org> mailto:owasp-csrfguard at lists.owasp.org>

Subject: RE: [Owasp-csrfguard] can't get it to work

 

You Rule!  It does indeed work, but now all my requests for images, css, etc

all fail with missing token messages.  I tried adding the config property

org.owasp.csrfguard.Ajax=true, but this makes no difference.  I still get a

ton of messages like: Potential Cross-Site Request Forgery (CSRF) attack

thwarted (user:, ip:127.0.0.1, uri:/drbms/img/sort_down.gif,

error:required token is missing from the request).  What am I missing now?

Any ideas?

Also, I am now leaving the login page unprotected, which can't be a very

good idea.  Is there a better method using the NewTokenLandingPage?  I still

have that config setting, but it never goes there.  Should the

NewTokenLandingPage redirect to the login page, or what does it do?  There

isn't much discussion of this in the documentation, AFAIK.

Thanks very much for the help so far - there was some danger of me going

berserk, which is now receding into the distance.

- Ray Clough

 

 

---------------------------- Original Message ----------------------------

Subject: RE: [Owasp-csrfguard] can't get it to work

From: "Tom Barber" 

Date: Tue, July 16, 2013 2:30 pm

To:  <mailto:ray at allthisisthat.com> ray at allthisisthat.com < <mailto:ray at allthisisthat.com> mailto:ray at allthisisthat.com> 

 <mailto:owasp-csrfguard at lists.owasp.org> owasp-csrfguard at lists.owasp.org < <mailto:owasp-csrfguard at lists.owasp.org> mailto:owasp-csrfguard at lists.owasp.org> 

--------------------------------------------------------------------------

{C} 

Hi Ray,

 

I'm not certain this is the case, but I believe I know the problem. If you

look at the comments above the unprotected section of the property files the

options it gives you are:

 

# Case 1: exact match between request uri and unprotected page

# Case 2: longest path prefix match, beginning / and ending /*

# Case 3: extension match, beginning *.

# Default: requested resource must be validated by CSRFGuard

 

In your case you seem to have used wildcard in an unsupported manner

"/login*" . Perhaps you could specify the exact uri "drbms/login.seam"

 

Let me know if you have any luck.

 

Thanks

 

Tom

 

From:  < <mailto:owasp-csrfguard-bounces at lists.owasp.org> mailto:owasp-csrfguard-bounces at lists.owasp.org>

 <mailto:owasp-csrfguard-bounces at lists.owasp.org> owasp-csrfguard-bounces at lists.owasp.org [

< <mailto:owasp-csrfguard-bounces at lists.owasp.org> mailto:owasp-csrfguard-bounces at lists.owasp.org>

 <mailto:owasp-csrfguard-bounces at lists.owasp.org> mailto:owasp-csrfguard-bounces at lists.owasp.org] On Behalf Of

< <mailto:ray at allthisisthat.com> mailto:ray at allthisisthat.com>  <mailto:ray at allthisisthat.com> ray at allthisisthat.com

Sent: 16 July 2013 21:44

To:  < <mailto:owasp-csrfguard at lists.owasp.org> mailto:owasp-csrfguard at lists.owasp.org>

 <mailto:owasp-csrfguard at lists.owasp.org> owasp-csrfguard at lists.owasp.org

Subject: [Owasp-csrfguard] can't get it to work

 

I am unable to get the CsrfGuard filter to work.  Regardless of the

properties I set, the app tries to go to the login page, and I get this log

message:

[Tue Jul 16 13:08:38 PDT 2013] [Error] Potential Cross-Site Request Forgery

(CSRF) attack thwarted (user:, ip:127.0.0.1,

uri:/drbms/login.seam, error:required token is missing from the request)

Obviously I am doing something wrong.  Here is my configuration file

org.owasp.csrfguard.Logger=org.owasp.csrfguard.log.ConsoleLogger

org.owasp.csrfguard.UseNewTokenLandingPage=true

org.owasp.csrfguard.NewTokenLandingPage=/NewTokenLandingPage.html

org.owasp.csrfguard.TokenPerPage=true

org.owasp.csrfguard.TokenPerPagePrecreate=false

org.owasp.csrfguard.Ajax=false

org.owasp.csrfguard.unprotected.Index=/login*

org.owasp.csrfguard.action.Log=org.owasp.csrfguard.action.Log

org.owasp.csrfguard.action.Log.Message=Potential Cross-Site Request Forgery

(CSRF) attack thwarted (user:%user%, ip:%remote_ip%, uri:%request_uri%,

error:%exception_message%)

org.owasp.csrfguard.TokenName=OWASP_CSRFTOKEN

org.owasp.csrfguard.SessionKey=OWASP_CSRFTOKEN

org.owasp.csrfguard.TokenLength=32

org.owasp.csrfguard.PRNG=SHA1PRNG

When the server starts, I see the config properties output to the console,

so I know the config file is being read correctly.

I have tried various combinations of using a NewTokenLandingPage with the

login page protected, and un-protecting the login page but not using a New

Token Landing Page.  Also, I have seen no info on what the New Token Landing

Page needs to do - If I can ever get it to appear, my guess is that it needs

to redirect to the login page.  Is that correct?  Also, all the examples use

jsp, not facelets.  Are there any issues with this difference?  I built the

project from source using the latest code.

Any help you could offer would be greatly appreciated.

 

Thank you,

Ray Clough

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-csrfguard/attachments/20130718/a07dbd38/attachment-0001.html>


More information about the Owasp-csrfguard mailing list