[Owasp-csrfguard] Where is the SVN repository for Alpha version OWASP CSRFGuard 3.0.0.503 (ALPHA)

Cheung, Ming MCheung at tmrs.com
Thu Mar 21 21:01:43 UTC 2013


The Previous change runs with CsrfGuardHttpSessionListener. However, I don't think CsrfGuard is enabled because I could not see any OWASP_CSRFTOKEN key-value pair shown on the URL.


After I switched to use CsrfGuardServletContextListener, CsrfGuard was broken again. In order to make it run. I did the similar change to JavaScriptServlet.writeJavaScript(HttpServletRequest, HttpServletResponse) method. The trick was to inject the token with the following 3 lines.

	csrfGuard.updateTokens(request);
	tokenValue = (String) session.getAttribute(csrfGuard.getSessionKey());
	code = code.replaceAll(TOKEN_VALUE_IDENTIFIER, tokenValue);

Here is my modified version of the JavaScriptServlet.writeJavaScript();


private void writeJavaScript(HttpServletRequest request, HttpServletResponse response) throws IOException {
		HttpSession session = request.getSession(true);
		CsrfGuard csrfGuard = CsrfGuard.getInstance();

		/** cannot cache if rotate or token-per-page is enabled **/
		if (csrfGuard.isRotateEnabled() || csrfGuard.isTokenPerPageEnabled()) {
			response.setHeader("Cache-Control", "no-cache, no-store");
			response.setHeader("Pragma", "no-cache");
			response.setHeader("Expires", "0");
		} else {
			response.setHeader("Cache-Control", cacheControl);
		}

		response.setContentType("text/javascript");

		/** build dynamic javascript **/
		String code = templateCode;

		code = code.replaceAll(TOKEN_NAME_IDENTIFIER, csrfGuard.getTokenName());
		
	
		///  mcheung
///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
///
		Enumeration en = session.getAttributeNames();
		String tokenValue = null;
		/// avoid the NULL pointer exception error
		if (en.hasMoreElements()) {
			boolean found = false;
			String sKey = csrfGuard.getSessionKey();
			while (en.hasMoreElements() && !found) {
				String theElement = (String)en.nextElement();
				System.out.println("theElmeent = " + theElement);
				if (sKey.matches(theElement)) {
					found = true;
				}	
			}
			tokenValue = (String) session.getAttribute(csrfGuard.getSessionKey());
			if (tokenValue != null) {
				code = code.replaceAll(TOKEN_VALUE_IDENTIFIER, tokenValue);
			} else {
				/// generate token value and replace at here
				csrfGuard.updateTokens(request);
				tokenValue = (String) session.getAttribute(csrfGuard.getSessionKey());
				code = code.replaceAll(TOKEN_VALUE_IDENTIFIER, tokenValue);
				
			}
		}
		
		///code = code.replaceAll(TOKEN_VALUE_IDENTIFIER, (String) session.getAttribute(csrfGuard.getSessionKey()));
///
//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////


		code = code.replaceAll(INJECT_INTO_FORMS_IDENTIFIER, injectIntoForms);
		code = code.replaceAll(INJECT_INTO_ATTRIBUTES_IDENTIFIER, injectIntoAttributes);
		code = code.replaceAll(INJECT_INTO_XHR_IDENTIFIER, String.valueOf(csrfGuard.isAjaxEnabled()));
		code = code.replaceAll(TOKENS_PER_PAGE_IDENTIFIER, String.valueOf(csrfGuard.isTokenPerPageEnabled()));
		code = code.replaceAll(DOMAIN_ORIGIN_IDENTIFIER, parseDomain(request.getRequestURL()));
		code = code.replaceAll(DOMAIN_STRICT_IDENTIFIER, domainStrict);
		code = code.replaceAll(CONTEXT_PATH_IDENTIFIER, request.getContextPath());
		code = code.replaceAll(SERVLET_PATH_IDENTIFIER, request.getContextPath() + request.getServletPath());
		code = code.replaceAll(X_REQUESTED_WITH_IDENTIFIER, xRequestedWith);

		/** write dynamic javascript **/
		OutputStream output = null;
		PrintWriter writer = null;

		try {
			output = response.getOutputStream();
			writer = new PrintWriter(output);

			writer.write(code);
			writer.flush();
		} finally {
			Writers.close(writer);
			Streams.close(output);
		}
	}

Could someone please investigate and advice what is the best approach to address this issue (Null Pointer of Session object and blank value of OWASP_CSRFTOKEN object?



Thanks,
Ming


-----Original Message-----
From: Cheung, Ming 
Sent: Wednesday, March 20, 2013 4:03 PM
To: Cheung, Ming; Eric Sheridan; owasp-csrfguard at lists.owasp.org
Subject: RE: [Owasp-csrfguard] Where is the SVN repository for Alpha version OWASP CSRFGuard 3.0.0.503 (ALPHA)

Sorry, I copied and pasted a wrong version in previous email. This is the right one I am using.



      public void updateToken(HttpSession session) {
		/// mcheung
		/// check to make sure the session is present; session could be NULL or non existent at the very first request.
		///
		Enumeration en = session.getAttributeNames();
		String tokenValue = null;

		if (en.hasMoreElements()) {
			boolean found = false;
			String sKey = getSessionKey();
			while (en.hasMoreElements() && !found) {
				String theElement = (String)en.nextElement();
				System.out.println("theElmeent = " + theElement);
				if (sKey.matches(theElement)) {
					found = true;
				}	
			}
			tokenValue = (String) session.getAttribute(getSessionKey());
	

			/** Generate a new token and store it in the session. **/
			if (tokenValue == null) {
				try {
					tokenValue = RandomGenerator.generateRandomId(getPrng(), getTokenLength());
				} catch (Exception e) {
					throw new RuntimeException(String.format("unable to generate the random token - %s", e.getLocalizedMessage()), e);
				}

				session.setAttribute(getSessionKey(), tokenValue);
			}
		
	}

Thanks,
Ming


-----Original Message-----
From: Cheung, Ming
Sent: Wednesday, March 20, 2013 1:09 PM
To: Cheung, Ming; Eric Sheridan; owasp-csrfguard at lists.owasp.org
Subject: RE: [Owasp-csrfguard] Where is the SVN repository for Alpha version OWASP CSRFGuard 3.0.0.503 (ALPHA)

I learned the NULLPointer Exception was due to the initial request to the server. As we know, since it was the very first request, there was no session established yet. Therefore, session was null. As a result, the NullPointerException was thrown.

To work around with this NPE issue, I modified the org.owasp.csrfguard.CsrfGuard.UpdateToken method as the following, It seems work fine. Should UpdateToken consider the Null pointer issue if the session is not present? Or I might miss something that I am not aware of?


	public void updateToken(HttpSession session) {
		/// mcheung
		/// check to make sure the session is present; session could be NULL or non existent at the very first request.
		///
		Enumeration en = session.getAttributeNames();
		String tokenValue = null;

		if (en.hasMoreElements()) {
			boolean found = false;
			String sKey = getSessionKey();
			while (en.hasMoreElements() && !found) {
				String theElement = (String)en.nextElement();
				System.out.println("theElmeent = " + theElement);
				if (sKey.matches(theElement)) {
					found = true;
				}	
			}
			tokenValue = (String) session.getAttribute(getSessionKey());
		} else {

			/** Generate a new token and store it in the session. **/
			if (tokenValue == null) {
				try {
					tokenValue = RandomGenerator.generateRandomId(getPrng(), getTokenLength());
				} catch (Exception e) {
					throw new RuntimeException(String.format("unable to generate the random token - %s", e.getLocalizedMessage()), e);
				}

				session.setAttribute(getSessionKey(), tokenValue);
			}
		}
	}

Thanks,
Ming

-----Original Message-----
From: Cheung, Ming [mailto:MCheung at tmrs.com]
Sent: Tuesday, March 05, 2013 1:59 PM
To: Eric Sheridan; owasp-csrfguard at lists.owasp.org
Subject: Re: [Owasp-csrfguard] Where is the SVN repository for Alpha version OWASP CSRFGuard 3.0.0.503 (ALPHA)

Regardless which listener I tried, I always got java.lang.NullPointerException with the following CsrfGuard code, Could someone please advice?


Here is the call stacks:

[3/5/13 13:53:56:747 CST] 00000015 servlet       E com.ibm.ws.webcontainer.servlet.ServletWrapper service SRVE0068E: Uncaught exception created in one of the service methods of the servlet Logon in application CityPortal. Exception created : java.lang.NullPointerException
	at com.ibm.ws.session.SessionData.getSessionValue(SessionData.java:300)
	at com.ibm.ws.session.SessionData.getAttribute(SessionData.java:162)
	at org.owasp.csrfguard.CsrfGuard.updateToken(CsrfGuard.java:395)
	at org.owasp.csrfguard.CsrfGuardHttpSessionListener.sessionCreated(CsrfGuardHttpSessionListener.java:13)
	at com.ibm.ws.session.http.HttpSessionObserver.sessionCreated(HttpSessionObserver.java:111)
	at com.ibm.ws.session.SessionEventDispatcher.sessionCreated(SessionEventDispatcher.java:98)
	at com.ibm.ws.session.SessionManager.createISession(SessionManager.java:268)
	at com.ibm.ws.session.SessionManager.createSession(SessionManager.java:635)
	at com.ibm.ws.session.SessionContext.getIHttpSession(SessionContext.java:473)
	at com.ibm.ws.session.SessionContext.getIHttpSession(SessionContext.java:408)
	at com.ibm.ws.webcontainer.srt.SRTRequestContext.getSession(SRTRequestContext.java:89)
	at com.ibm.ws.webcontainer.srt.SRTServletRequest.getSession(SRTServletRequest.java:1909)
	at com.ibm.ws.webcontainer.srt.SRTServletRequest.getSession(SRTServletRequest.java:1894)
	at org.tmrs.common.controller.BaseServlet.getUserSession(BaseServlet.java:675)
	at org.tmrs.common.controller.BaseServlet.getNewPageBean(BaseServlet.java:253)
	at org.tmrs.common.controller.BaseServlet.getNewCachedPageBean(BaseServlet.java:268)
	at org.tmrs.cityportal.user.controller.Logon.getNewCachedPageBean(Logon.java:46)
	at org.tmrs.common.controller.BaseServlet.doDefault(BaseServlet.java:288)
	at org.tmrs.common.controller.BaseServlet.doPost(BaseServlet.java:163)
	at org.tmrs.common.controller.BaseServlet.doGet(BaseServlet.java:143)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:718)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:831)
	...


Thanks,
Ming


-----Original Message-----
From: Eric Sheridan [mailto:eric.sheridan at owasp.org]
Sent: Tuesday, March 05, 2013 12:17 PM
To: owasp-csrfguard at lists.owasp.org
Subject: Re: [Owasp-csrfguard] Where is the SVN repository for Alpha version OWASP CSRFGuard 3.0.0.503 (ALPHA)

This is a fairly common problem. Does anyone want to take a crack at directly editing the Wiki article summarizing what they've done to get up and running?

Sincerely,
Eric Sheridan
(twitter) @eric_sheridan
(blog) http://ericsheridan.blogspot.com

On 3/5/13 12:49 PM, Cheung, Ming wrote:
> First of all, Thanks Patrick for providing the download link.
> 
> I just learned the download link is NOT for the Alpha version OWASP CSRFGuard 3.0.0.503 (ALPHA), It is for the trunk.
> 
> Does anyone have the instructions on how to use the latest CSRFguard from the trunk? Because CSRFGuard 3.0.0.503 (ALPHA) instructions, https://www.owasp.org/index.php/CSRFGuard_3_Installation, is already out of date.
> 
> 
> 1. Which Listener should be use? CsrfGuardHttpSessionListener or CsrfGuardServletContextListener? 
> 
> 2. What is the difference?
> 
> 3. Which Guard class should be added to the Web.xml? CsrfGuardFilter? Or CsrfGuard?
> 
> 4. Comparing to the latest code from trunk, CSRFGuard 3.0.0.503 (ALPHA) works better. CSRFGuard 3.0.0.503 (ALPHA) only failed on one single page with "Required token is missing from the request", therefore, does anyone has the link for the CSRFGuard 3.0.0.503 (ALPHA)?
> 
> 
> Thanks,
> Ming
> 
> 
> 
> -----Original Message-----
> From: Patrick Radtke [mailto:pradtke at stanford.edu]
> Sent: Thursday, February 28, 2013 4:08 PM
> To: Cheung, Ming
> Cc: owasp-csrfguard at lists.owasp.org
> Subject: Re: [Owasp-csrfguard] Where is the SVN repository for Alpha 
> version OWASP CSRFGuard 3.0.0.503 (ALPHA)
> 
> https://github.com/esheri3/OWASP-CSRFGuard
> 
> 
> On 2/28/13 1:25 PM, Cheung, Ming wrote:
>> RA layer request failed
>>
>> svn: Server sent unexpected return value (405 Method Not Allowed) in 
>> response to OPTIONS request for 'http://owaspcsrfguard.googlecode.com'
>>
>> Thanks,
>>
>> Ming
>>
>> *From:*Cheung, Ming [mailto:MCheung at tmrs.com]
>> *Sent:* Thursday, February 28, 2013 3:08 PM
>> *To:* owasp-csrfguard at lists.owasp.org
>> *Subject:* [Owasp-csrfguard] Where is the SVN repository for Alpha 
>> version OWASP CSRFGuard 3.0.0.503 (ALPHA)
>>
>> Hi There,
>>
>> The CSRFGuard failed on certain pages of my application, Could 
>> someone please point me to the SVN repository for downloading the java source?
>>
>> Thanks,
>>
>> Ming
>>
>> ###################################################################
>> CONFIDENTIALITY NOTICE: This communication, including attachments, is 
>> intended only for the use of the individual or entity to which it is 
>> addressed and may contain information that is privileged, 
>> confidential, and exempt from disclosure under applicable law.
>> If you are not the intended recipient, you are notified that any use, 
>> dissemination, forwarding, distribution, or copying of the 
>> communication is strictly prohibited. Please notify the sender 
>> immediately by e-mail if you have received this communication by 
>> mistake and delete all copies of the original message and attachments 
>> from your system.
>> ###################################################################
>>
>>
>>
>> _______________________________________________
>> Owasp-csrfguard mailing list
>> Owasp-csrfguard at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-csrfguard
>>
> 
> 
> ###################################################################
> CONFIDENTIALITY NOTICE: This communication, including attachments, is 
> intended only for the use of the individual or entity to which it is 
> addressed and may contain information that is privileged, 
> confidential, and exempt from disclosure under applicable law.
> If you are not the intended recipient, you are notified that any use, 
> dissemination, forwarding, distribution, or copying of the 
> communication is strictly prohibited. Please notify the sender 
> immediately by e-mail if you have received this communication by 
> mistake and delete all copies of the original message and attachments 
> from your system.
> ###################################################################
> _______________________________________________
> Owasp-csrfguard mailing list
> Owasp-csrfguard at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-csrfguard
> 
_______________________________________________
Owasp-csrfguard mailing list
Owasp-csrfguard at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-csrfguard

###################################################################
CONFIDENTIALITY NOTICE: This communication, including attachments, is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential, and exempt from disclosure under applicable law.
If you are not the intended recipient, you are notified that any use, dissemination, forwarding, distribution, or copying of the communication is strictly prohibited. Please notify the sender immediately by e-mail if you have received this communication by mistake and delete all copies of the original message and attachments from your system.
###################################################################
_______________________________________________
Owasp-csrfguard mailing list
Owasp-csrfguard at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-csrfguard


More information about the Owasp-csrfguard mailing list