[Owasp-csrfguard] can't get it to work

Ray ray at allthisisthat.com
Mon Jul 22 14:56:58 UTC 2013


Thank you, Manish.  As I noted earlier, there are certainly issues with this problem which I don't understand.  One thing we will do is to customize some of our properties during build.  Of course, som expression language capability would be great, if possible without sacrificing security.  This is also true for some relaxation of the strictness of the URL rules,

Thanks again,
Ray Clough


On Jul 21, 2013, at 8:50 PM, "Manish Java" <manish.in.java at gmail.com> wrote:

> Hi Ray
>  
> I recently ported CSRFGuard from ANT to Maven build system and had the chance to go through the source code during the migration process.  Looking through the code I got the feeling that Eric Sheridan (the project lead for CSRFGuard) wanted CSRFGuard to be a completely standalone library that did not have any dependencies on any other libraries.  I felt this because I came across some classes and code snippets that are readily available in other common libraries, such as, Apache Commons.
>  
> I think that the design decision to keep CSRFGuard as a standalone library is not a bad one.  Creating dependencies on third-party code that has not been scanned for security vulnerabilities could be risky for a security related project like CSRFGuard.
>  
> Having said that, I also take your point about the expression handlers.  I will look through the source code this week to see whether this can be changed.  If I can find an easy way to get the changes in, I will liaise with Eric to see if a version upgrade can be released.
>  
>  
> Best regards
> ~ Manish
>  
> From: ray at allthisisthat.com [mailto:ray at allthisisthat.com] 
> Sent: 18 July 2013 03:08
> To: Manish Java
> Cc: Clough_Ray_allthisisthat; owasp-csrfguard at lists.owasp.org; tom.a.barber at gmail.com
> Subject: RE: [Owasp-csrfguard] can't get it to work
>  
> Thanks very much.  I got it going now.  Too bad Expression Language tags not allowed, and also would be nice to allow something like /myapp/something/*.xyz or 'myapp/*/*.xyz.  Then we could do /myapp/*/*.css, for example, to allow css coming from libraries to be allowed, but still not specifying *.css, which allows css from anywhere.  Same is true, of course for images and js, etc.  But we can't have everything, or at least so I've been told (and I always believe what people tell me).  Maybe there are good reasons for the strictness of the three allowed patterns which I don't yet understand.
> 
> - Ray Clough
> 
> 
> ---------------------------- Original Message ----------------------------
> Subject: RE: [Owasp-csrfguard] can't get it to work
> From: "Manish Java" 
> Date: Tue, July 16, 2013 11:14 pm
> To: ray at allthisisthat.com
> Cc: owasp-csrfguard at lists.owasp.org
> tom.a.barber at gmail.com
> --------------------------------------------------------------------------
> 
> {C}
> 
> Hi Ray
> 
> I have found the following steps to be useful when working with CSRFGuard:
> 
>  
> 1.      Find out the context root for the application (say, / or /myapp or /drbms in your case);
> 
> 2.      Decide on which resources you would like to protect;
> 
> 3.      Decide on which resources you do not need to protect (possibly images, CSS files, JavaScript files, plain HTML files, etc.);
> 
> 4.      First configure the unprotected resources in the CSRFGuard configuration file, using org.owasp.csrfguard.unprotected configuration directives.  Make sure that you prefix the URLs with the context root.  An example configuration is given below:
> 
> org.owasp.csrfguard.unprotected.CSS=/myapp/css/*
> org.owasp.csrfguard.unprotected.HTML=/myapp/html/*
> org.owasp.csrfguard.unprotected.Image=/myapp/image/*
> org.owasp.csrfguard.unprotected.JavaScript=/myapp/script/*
> org.owasp.csrfguard.unprotected.PDF=/myapp/pdf/*
> 
> 5.      Add configuration settings for the protected resources, as per application requirements.
> 
>  
> 
> In our application we typically do the following:
> 
>  
> 1.      Configure the application root (/) as the new token landing page.  All this does is to ensure that any malicious attacker looking to target a specific page in any possible way is automatically redirected to the application’s home page (/).  In our applications the home page either does not present any sensitive data or automatically redirects to the login page, depending on the application.
> 
> 2.      We typically leave the login page unprotected as many users of our applications are likely to bookmark the login page.  In any case, the login page does not have any sensitive information so it is fine to leave it unprotected.
> 
> 3.      Our CSRFGuard properties file is generated on a per-environment through our Maven build.  This allows us to use different context roots for different environments and frees us up from having to maintain separate properties files.
> 
>  
> 
> If you have any further questions, please feel free to reply to this thread.  I will be happy to take a look at any issue you might be facing with CSRFGuard.
> 
>  
> Cheers
> 
> ~ Manish
> 
>  
> 
> Date: Wed, 17 Jul 2013 00:26:30 +0100
> 
> From: "Tom Barber" <tom.a.barber at gmail.com>
> 
> To: <ray at allthisisthat.com>
> 
> Cc: owasp-csrfguard at lists.owasp.org
> 
> Subject: Re: [Owasp-csrfguard] can't get it to work
> 
> Message-ID: <[email protected]>
> 
> Content-Type: text/plain; charset="us-ascii"
> 
> Hi Ray, Glad that helped!
> 
>  
> 
> I'm no expert in CSRFGuard (only started trying it out myself recently as a POC), but when I faced a similar issue I decided that I didn't really care about protecting images, so what I did was use the:
> 
>  
> 
> # Case 2: longest path prefix match, beginning / and ending /*
> 
> So in the example you provided, that would be:
> 
>  
> 
> "/img/*"
> 
>  
> 
> This unprotects all files within the img directory. Another option would be
> 
> for:
> 
> # Case 3: extension match, beginning *.
> 
> "*.gif" for each img extension type, perhaps useful if you have images in many different locations - though your example suggests otherwise.
> 
>  
> 
> As for leaving the login page unprotected, I don't think that is a problem (again, im no expert though..) a CSRF attack against a login page would only be able to potentially log a user into the application if valid parameters are supplied in the malicious request and valid users need to be able to access the site via the login screen and they wont have a token when they first visit -  though I'm not familiar with the newtokenlandingpage, which could be the alternative solution for all I know :)
> 
>  
> 
> Good luck!
> 
>  
> 
> Tom
> 
>  
> 
> From: ray at allthisisthat.com [mailto:ray at allthisisthat.com]
> 
> Sent: 16 July 2013 23:30
> 
> To: Tom Barber
> 
> Cc: Clough_Ray_allthisisthat; owasp-csrfguard at lists.owasp.org
> 
> Subject: RE: [Owasp-csrfguard] can't get it to work
> 
>  
> 
> You Rule!  It does indeed work, but now all my requests for images, css, etc all fail with missing token messages.  I tried adding the config property org.owasp.csrfguard.Ajax=true, but this makes no difference.  I still get a ton of messages like: Potential Cross-Site Request Forgery (CSRF) attack thwarted (user:, ip:127.0.0.1, uri:/drbms/img/sort_down.gif, error:required token is missing from the request).  What am I missing now?
> 
> Any ideas?
> 
> Also, I am now leaving the login page unprotected, which can't be a very good idea.  Is there a better method using the NewTokenLandingPage?  I still have that config setting, but it never goes there.  Should the NewTokenLandingPage redirect to the login page, or what does it do?  There isn't much discussion of this in the documentation, AFAIK.
> 
> Thanks very much for the help so far - there was some danger of me going berserk, which is now receding into the distance.
> 
> - Ray Clough
> 
>  
> 
>  
> ---------------------------- Original Message ----------------------------
> 
> Subject: RE: [Owasp-csrfguard] can't get it to work
> 
> From: "Tom Barber"
> 
> Date: Tue, July 16, 2013 2:30 pm
> 
> To: ray at allthisisthat.com <mailto:ray at allthisisthat.com> owasp-csrfguard at lists.owasp.org <mailto:owasp-csrfguard at lists.owasp.org>
> 
> --------------------------------------------------------------------------
> 
> {C}
> 
> Hi Ray,
> 
>  
> 
> I'm not certain this is the case, but I believe I know the problem. If you look at the comments above the unprotected section of the property files the options it gives you are:
> 
>  
> 
> # Case 1: exact match between request uri and unprotected page
> 
> # Case 2: longest path prefix match, beginning / and ending /*
> 
> # Case 3: extension match, beginning *.
> 
> # Default: requested resource must be validated by CSRFGuard
> 
>  
> 
> In your case you seem to have used wildcard in an unsupported manner "/login*" . Perhaps you could specify the exact uri "drbms/login.seam"
> 
>  
> 
> Let me know if you have any luck.
> 
>  
> 
> Thanks
> 
>  
> 
> Tom
> 
>  
> 
> From:  <mailto:owasp-csrfguard-bounces at lists.owasp.org>
> 
> owasp-csrfguard-bounces at lists.owasp.org [ <mailto:owasp-csrfguard-bounces at lists.owasp.org>
> 
> mailto:owasp-csrfguard-bounces at lists.owasp.org] On Behalf Of <mailto:ray at allthisisthat.com> ray at allthisisthat.com
> 
> Sent: 16 July 2013 21:44
> 
> To:  <mailto:owasp-csrfguard at lists.owasp.org>
> 
> owasp-csrfguard at lists.owasp.org
> 
> Subject: [Owasp-csrfguard] can't get it to work
> 
>  
> 
> I am unable to get the CsrfGuard filter to work.  Regardless of the properties I set, the app tries to go to the login page, and I get this log
> 
> message:
> 
> [Tue Jul 16 13:08:38 PDT 2013] [Error] Potential Cross-Site Request Forgery
> 
> (CSRF) attack thwarted (user:, ip:127.0.0.1, uri:/drbms/login.seam, error:required token is missing from the request)
> 
> Obviously I am doing something wrong.  Here is my configuration file
> 
> org.owasp.csrfguard.Logger=org.owasp.csrfguard.log.ConsoleLogger
> 
> org.owasp.csrfguard.UseNewTokenLandingPage=true
> 
> org.owasp.csrfguard.NewTokenLandingPage=/NewTokenLandingPage.html
> 
> org.owasp.csrfguard.TokenPerPage=true
> 
> org.owasp.csrfguard.TokenPerPagePrecreate=false
> 
> org.owasp.csrfguard.Ajax=false
> 
> org.owasp.csrfguard.unprotected.Index=/login*
> 
> org.owasp.csrfguard.action.Log=org.owasp.csrfguard.action.Log
> 
> org.owasp.csrfguard.action.Log.Message=Potential Cross-Site Request Forgery
> 
> (CSRF) attack thwarted (user:%user%, ip:%remote_ip%, uri:%request_uri%,
> 
> error:%exception_message%)
> 
> org.owasp.csrfguard.TokenName=OWASP_CSRFTOKEN
> 
> org.owasp.csrfguard.SessionKey=OWASP_CSRFTOKEN
> 
> org.owasp.csrfguard.TokenLength=32
> 
> org.owasp.csrfguard.PRNG=SHA1PRNG
> 
> When the server starts, I see the config properties output to the console, so I know the config file is being read correctly.
> 
> I have tried various combinations of using a NewTokenLandingPage with the login page protected, and un-protecting the login page but not using a New Token Landing Page.  Also, I have seen no info on what the New Token Landing Page needs to do - If I can ever get it to appear, my guess is that it needs to redirect to the login page.  Is that correct?  Also, all the examples use jsp, not facelets.  Are there any issues with this difference?  I built the project from source using the latest code.
> 
> Any help you could offer would be greatly appreciated.
> 
>  
> 
> Thank you,
> 
> Ray Clough
> 
>  
> 
>  
> 
> -------------- next part --------------
> 
> An HTML attachment was scrubbed...
> 
> URL: <http://lists.owasp.org/pipermail/owasp-csrfguard/attachments/20130717/ba23fb5f/attachment-0001.html>
> 
> ------------------------------
> 
> Message: 2
> 
> Date: Wed, 17 Jul 2013 00:58:23 +0100
> 
> From: "Tom Barber" <tom.a.barber at gmail.com>
> 
> To: <ray at allthisisthat.com>
> 
> Cc: owasp-csrfguard at lists.owasp.org
> 
> Subject: Re: [Owasp-csrfguard] can't get it to work
> 
> Message-ID: <[email protected]>
> 
> Content-Type: text/plain; charset="us-ascii"
> 
> P.S. I meant "/drbms/img/*" - I found that you usually need to include the context root
> 
>  
> 
> From: Tom Barber [mailto:tom.a.barber at gmail.com]
> 
> Sent: 17 July 2013 00:27
> 
> To: ray at allthisisthat.com
> 
> Cc: owasp-csrfguard at lists.owasp.org
> 
> Subject: RE: [Owasp-csrfguard] can't get it to work
> 
>  
> 
> Hi Ray, Glad that helped!
> 
>  
> 
> I'm no expert in CSRFGuard (only started trying it out myself recently as a POC), but when I faced a similar issue I decided that I didn't really care about protecting images, so what I did was use the:
> 
>  
> 
> # Case 2: longest path prefix match, beginning / and ending /*
> 
> So in the example you provided, that would be:
> 
>  
> 
> "/img/*"
> 
>  
> 
> This unprotects all files within the img directory. Another option would be
> 
> for:
> 
> # Case 3: extension match, beginning *.
> 
> "*.gif" for each img extension type, perhaps useful if you have images in many different locations - though your example suggests otherwise.
> 
>  
> 
> As for leaving the login page unprotected, I don't think that is a problem (again, im no expert though..) a CSRF attack against a login page would only be able to potentially log a user into the application if valid parameters are supplied in the malicious request and valid users need to be able to access the site via the login screen and they wont have a token when they first visit -  though I'm not familiar with the newtokenlandingpage, which could be the alternative solution for all I know :)
> 
>  
> 
> Good luck!
> 
>  
> 
> Tom
> 
>  
> 
> From: ray at allthisisthat.com <mailto:ray at allthisisthat.com> [mailto:ray at allthisisthat.com]
> 
> Sent: 16 July 2013 23:30
> 
> To: Tom Barber
> 
> Cc: Clough_Ray_allthisisthat; owasp-csrfguard at lists.owasp.org <mailto:owasp-csrfguard at lists.owasp.org>
> 
> Subject: RE: [Owasp-csrfguard] can't get it to work
> 
>  
> 
> You Rule!  It does indeed work, but now all my requests for images, css, etc
> 
> all fail with missing token messages.  I tried adding the config property
> 
> org.owasp.csrfguard.Ajax=true, but this makes no difference.  I still get a
> 
> ton of messages like: Potential Cross-Site Request Forgery (CSRF) attack
> 
> thwarted (user:, ip:127.0.0.1, uri:/drbms/img/sort_down.gif,
> 
> error:required token is missing from the request).  What am I missing now?
> 
> Any ideas?
> 
> Also, I am now leaving the login page unprotected, which can't be a very
> 
> good idea.  Is there a better method using the NewTokenLandingPage?  I still
> 
> have that config setting, but it never goes there.  Should the
> 
> NewTokenLandingPage redirect to the login page, or what does it do?  There
> 
> isn't much discussion of this in the documentation, AFAIK.
> 
> Thanks very much for the help so far - there was some danger of me going
> 
> berserk, which is now receding into the distance.
> 
> - Ray Clough
> 
>  
> 
>  
> ---------------------------- Original Message ----------------------------
> 
> Subject: RE: [Owasp-csrfguard] can't get it to work
> 
> From: "Tom Barber"
> 
> Date: Tue, July 16, 2013 2:30 pm
> 
> To: ray at allthisisthat.com <mailto:ray at allthisisthat.com>
> 
> owasp-csrfguard at lists.owasp.org <mailto:owasp-csrfguard at lists.owasp.org>
> 
> --------------------------------------------------------------------------
> 
> {C}
> 
> Hi Ray,
> 
>  
> 
> I'm not certain this is the case, but I believe I know the problem. If you
> 
> look at the comments above the unprotected section of the property files the
> 
> options it gives you are:
> 
>  
> 
> # Case 1: exact match between request uri and unprotected page
> 
> # Case 2: longest path prefix match, beginning / and ending /*
> 
> # Case 3: extension match, beginning *.
> 
> # Default: requested resource must be validated by CSRFGuard
> 
>  
> 
> In your case you seem to have used wildcard in an unsupported manner
> 
> "/login*" . Perhaps you could specify the exact uri "drbms/login.seam"
> 
>  
> 
> Let me know if you have any luck.
> 
>  
> 
> Thanks
> 
>  
> 
> Tom
> 
>  
> 
> From:  <mailto:owasp-csrfguard-bounces at lists.owasp.org>
> 
> owasp-csrfguard-bounces at lists.owasp.org [
> 
> <mailto:owasp-csrfguard-bounces at lists.owasp.org>
> 
> mailto:owasp-csrfguard-bounces at lists.owasp.org] On Behalf Of
> 
> <mailto:ray at allthisisthat.com> ray at allthisisthat.com
> 
> Sent: 16 July 2013 21:44
> 
> To:  <mailto:owasp-csrfguard at lists.owasp.org>
> 
> owasp-csrfguard at lists.owasp.org
> 
> Subject: [Owasp-csrfguard] can't get it to work
> 
>  
> 
> I am unable to get the CsrfGuard filter to work.  Regardless of the
> 
> properties I set, the app tries to go to the login page, and I get this log
> 
> message:
> 
> [Tue Jul 16 13:08:38 PDT 2013] [Error] Potential Cross-Site Request Forgery
> 
> (CSRF) attack thwarted (user:, ip:127.0.0.1,
> 
> uri:/drbms/login.seam, error:required token is missing from the request)
> 
> Obviously I am doing something wrong.  Here is my configuration file
> 
> org.owasp.csrfguard.Logger=org.owasp.csrfguard.log.ConsoleLogger
> 
> org.owasp.csrfguard.UseNewTokenLandingPage=true
> 
> org.owasp.csrfguard.NewTokenLandingPage=/NewTokenLandingPage.html
> 
> org.owasp.csrfguard.TokenPerPage=true
> 
> org.owasp.csrfguard.TokenPerPagePrecreate=false
> 
> org.owasp.csrfguard.Ajax=false
> 
> org.owasp.csrfguard.unprotected.Index=/login*
> 
> org.owasp.csrfguard.action.Log=org.owasp.csrfguard.action.Log
> 
> org.owasp.csrfguard.action.Log.Message=Potential Cross-Site Request Forgery
> 
> (CSRF) attack thwarted (user:%user%, ip:%remote_ip%, uri:%request_uri%,
> 
> error:%exception_message%)
> 
> org.owasp.csrfguard.TokenName=OWASP_CSRFTOKEN
> 
> org.owasp.csrfguard.SessionKey=OWASP_CSRFTOKEN
> 
> org.owasp.csrfguard.TokenLength=32
> 
> org.owasp.csrfguard.PRNG=SHA1PRNG
> 
> When the server starts, I see the config properties output to the console,
> 
> so I know the config file is being read correctly.
> 
> I have tried various combinations of using a NewTokenLandingPage with the
> 
> login page protected, and un-protecting the login page but not using a New
> 
> Token Landing Page.  Also, I have seen no info on what the New Token Landing
> 
> Page needs to do - If I can ever get it to appear, my guess is that it needs
> 
> to redirect to the login page.  Is that correct?  Also, all the examples use
> 
> jsp, not facelets.  Are there any issues with this difference?  I built the
> 
> project from source using the latest code.
> 
> Any help you could offer would be greatly appreciated.
> 
>  
> 
> Thank you,
> 
> Ray Clough
> 
>  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-csrfguard/attachments/20130722/558d8a40/attachment-0001.html>


More information about the Owasp-csrfguard mailing list