[Owasp-csrfguard] Owasp-csrfguard Digest, Vol 35, Issue 11

Manish Java manish.in.java at gmail.com
Wed Jul 24 12:44:43 UTC 2013


This seems symptomatic of the error page being a protected resource as
well, which will cause CSRFGuard to go into an infinite loop.

I have created a Seam version of the CSRFGuard test application.  You can
try it out from https://github.com/manish-in-java/OWASP-CSRFGuard.  If you
have Java 6.0+ and Maven 3.0.4+ on your machine, you can simply download
the Seam sample project and run it as mvn clean package tomcat7:run.

I did not find any loops in the sample application.  You may want to
compare the configuration file in the sample application with yours to see
if you can spot any quick differences.


On Wed, Jul 24, 2013 at 5:30 PM, <owasp-csrfguard-request at lists.owasp.org>wrote:

> Send Owasp-csrfguard mailing list submissions to
>         owasp-csrfguard at lists.owasp.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         https://lists.owasp.org/mailman/listinfo/owasp-csrfguard
> or, via email, send a message with subject or body 'help' to
>         owasp-csrfguard-request at lists.owasp.org
>
> You can reach the person managing the list at
>         owasp-csrfguard-owner at lists.owasp.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Owasp-csrfguard digest..."
>
>
> Today's Topics:
>
>    1. Re: CSRFGuard problem (ray at allthisisthat.com)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Tue, 23 Jul 2013 16:43:58 -0700
> From: ray at allthisisthat.com
> To: "Barber, Thomas X" <thomas.x.barber at jpmorgan.com>
> Cc: "owasp-csrfguard at lists.owasp.org"
>         <owasp-csrfguard at lists.owasp.org>
> Subject: Re: [Owasp-csrfguard] CSRFGuard problem
> Message-ID:
>         <b63f2a3abd51952673bb3104de65303e.squirrel at mail.allthisisthat.com>
> Content-Type: text/plain; charset="utf-8"
>
>
>
>
> Thanks, Tom.? The only solution I could get to work was to make the page a
> static html page instead of a jsf facelet.? There was just a lot of
> conflict between the CSRFGuard redirect mechanism and the JSF (Seam)
> redirect mechanism.? I also had to specify the error page as not
> CSRFGuard protected (as you suggested), and had to specify it as
> "/myapp/CSRFError.html", which puts the context root into the configuration
> file, which is undesireable, of course.? Eventually, this will be replaced
> with a token for replacement during the build process.
> Thanks
> for your help,
> Ray Clough
> ?
>
> ---------------------------- Original Message ----------------------------
>
> Subject: RE: [Owasp-csrfguard] CSRFGuard problem
>
> From: "Barber, Thomas X"
>
> Date: Tue, July 23, 2013 1:29 am
>
> To: "ray at allthisisthat.com"
>
> "owasp-csrfguard at lists.owasp.org"
>
> --------------------------------------------------------------------------
>
>
>
> <style type="text/css">
> -></style>
>
>
>
>
> ?
>
>
>
>
>
>
>                 I’m not very familiar with the issue you are facing,
> but is it possible that on an exception the seam error handling tries to
> redirect to a page that isn’t
>
>                 defined as being “unprotected” which would
> cause CSRFGuard verification to fail constantly in a loop? If you are
> redirecting to a page in seam can you try defining it as being
> unprotected??Thanks?Tom?Tom Barber
>                 | Application Developer
>
>                 GFS - Technology | Corporate & Investment Bank (CIB) |
>
>                 J.P. Morgan,
>
>                 Chaseside - Hampshire Building, Floor 2, Bournemouth BH7
> 7DA, United Kingdom | T:+44 (0)1202 320097 |?
>
>                 thomas.X.barber at jpmorgan.com?
>
>
>                         From: owasp-csrfguard-bounces at lists.owasp.org
> [mailto:owasp-csrfguard-bounces at lists.owasp.org]
>                         On Behalf Of ray at allthisisthat.com
>
>                         Sent: 23 July 2013 00:52
>
>                         To: owasp-csrfguard at lists.owasp.org
>
>                         Subject: [Owasp-csrfguard] CSRFGuard problem
>
>
>                 ?
> I have added CSRFGuard to an existing project which is based on JSF using
> Seam 2.2.? My initial testing was very positive, until I started testing
> use cases which generated exceptions.? What I am finding is that Seam (or
> JSF) error handling is being
> interfered
>                 with by CSRFGuard.? As a result, I can get into a
> situation where the app is frozen, and you can't even call up the app from
> a new tab with the login url.? I have to restart the server in order to get
> any pages to work.? The only thing I have found which allows
>
>                 me to proceed is to invalidate the session when any
> potential CSRF attack is detected, by using the configuration option:
> "org.owasp.csrfguard.action.Invalidate=org.owasp.csrfguard.action.Invalidate".?
> Of course, this is extremely unfriendly, as the user is
>
>                 suddenly returned to the login page with no warning or
> message about why.
> I tried to configure an error page to redirect to by using:
> org.owasp.csrfguard.action.Redirect=org.owasp.csrfguard.action.Redirect
>
>                 org.owasp.csrfguard.action.Redirect.Page=/CSRFError.html
> but even this doesn't work as the conflict between Seam and CSRFGuard
> prevents the redirect from being processed.? Basically, Seam is stuck in
> error mode, and there is nothing I have been able to do about it.
> Does anyone
> have any suggestions?? Has anyone else had a similar problem?? I'm sure
> that there could equally well be conflicts with other frameworks besides
> JSF with Seam. ? I am about to remove CSRFGuard and use Seam's s:token tag
> to protect the POST requests
>                 - which, of course, leaves GET unprotected.? I'd really
> rather not get into that, if there is some clever configuration I could use
> which would enable me to continue to use CSRFGuard.
> Thanks in advance,
> Ray Clough
>
>                 ?
> ?
>
>
>
>
>
>         This email is confidential and subject to important disclaimers
> and conditions including on offers for the purchase or sale of securities,
> accuracy and completeness of information, viruses, confidentiality, legal
> privilege, and legal entity
> disclaimers, available at http://www.jpmorgan.com/pages/disclosures/email.
>
>
>
>
>
>
> ?
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> http://lists.owasp.org/pipermail/owasp-csrfguard/attachments/20130723/0ff355c6/attachment-0001.html
> >
>
> ------------------------------
>
> _______________________________________________
> Owasp-csrfguard mailing list
> Owasp-csrfguard at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-csrfguard
>
>
> End of Owasp-csrfguard Digest, Vol 35, Issue 11
> ***********************************************
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-csrfguard/attachments/20130724/af30f66b/attachment.html>


More information about the Owasp-csrfguard mailing list