[Owasp-csrfguard] Where is the SVN repository for Alpha version OWASP CSRFGuard 3.0.0.503 (ALPHA)

Cheung, Ming MCheung at tmrs.com
Mon May 6 16:07:44 UTC 2013


How can I redirect a http call from a protected servlet to another protected servlet? Currently, CSRFGuard 3.0.0.503 always claims this redirection as invalid and sends me to an error page.


I have the following setup in the web.xml.


	<filter-mapping>
		<filter-name>CSRFGuard</filter-name> 
		<url-pattern>/CreateUsers</url-pattern>
		<url-pattern>/EditUsers</url-pattern>
		<url-pattern>/DeleteUser</url-pattern>
	</filter-mapping>


My application creates a user first with /CreateUsers servlet, once it completes, /CreateUsers servlet redirects to /EditUsers servlet for newly created users modification. However, CSRFGuard always complained about this and redirects this call to an error page instead.


Does CSRFGuard 3.0.0.503 support a similar property from CSRFGuard 2.2? I think this is a very useful property while a protected resource, is used in between http redirection.


# Parameterless Token Validation
#
# Define whether or not the token validation should occur
# on pages that do not have HTTP parameters (except for the token itself).
#
# If false, only validate when there is at least one parameter
# If true, validate regardless of the number of parameters
#
# Ex: /CSRFGuardTestAppVulnerable/index.jsp has no parameters. No need to validate. Clicking refresh will cause issues.
# Ex: /AddCart/32 has no parameters. Visiting the URL will add item '32' to cart. We must validate token
org.owasp.csrfguard.ParameterlessValidation=false




Thanks,
Ming

-----Original Message-----
From: Cheung, Ming [mailto:MCheung at tmrs.com] 
Sent: Tuesday, March 05, 2013 11:50 AM
To: Patrick Radtke
Cc: owasp-csrfguard at lists.owasp.org
Subject: Re: [Owasp-csrfguard] Where is the SVN repository for Alpha version OWASP CSRFGuard 3.0.0.503 (ALPHA)

First of all, Thanks Patrick for providing the download link.

I just learned the download link is NOT for the Alpha version OWASP CSRFGuard 3.0.0.503 (ALPHA), It is for the trunk.

Does anyone have the instructions on how to use the latest CSRFguard from the trunk? Because CSRFGuard 3.0.0.503 (ALPHA) instructions, https://www.owasp.org/index.php/CSRFGuard_3_Installation, is already out of date.


1. Which Listener should be use? CsrfGuardHttpSessionListener or CsrfGuardServletContextListener? 

2. What is the difference?

3. Which Guard class should be added to the Web.xml? CsrfGuardFilter? Or CsrfGuard?

4. Comparing to the latest code from trunk, CSRFGuard 3.0.0.503 (ALPHA) works better. CSRFGuard 3.0.0.503 (ALPHA) only failed on one single page with "Required token is missing from the request", therefore, does anyone has the link for the CSRFGuard 3.0.0.503 (ALPHA)?


Thanks,
Ming



-----Original Message-----
From: Patrick Radtke [mailto:pradtke at stanford.edu]
Sent: Thursday, February 28, 2013 4:08 PM
To: Cheung, Ming
Cc: owasp-csrfguard at lists.owasp.org
Subject: Re: [Owasp-csrfguard] Where is the SVN repository for Alpha version OWASP CSRFGuard 3.0.0.503 (ALPHA)

https://github.com/esheri3/OWASP-CSRFGuard


On 2/28/13 1:25 PM, Cheung, Ming wrote:
> RA layer request failed
>
> svn: Server sent unexpected return value (405 Method Not Allowed) in 
> response to OPTIONS request for 'http://owaspcsrfguard.googlecode.com'
>
> Thanks,
>
> Ming
>
> *From:*Cheung, Ming [mailto:MCheung at tmrs.com]
> *Sent:* Thursday, February 28, 2013 3:08 PM
> *To:* owasp-csrfguard at lists.owasp.org
> *Subject:* [Owasp-csrfguard] Where is the SVN repository for Alpha 
> version OWASP CSRFGuard 3.0.0.503 (ALPHA)
>
> Hi There,
>
> The CSRFGuard failed on certain pages of my application, Could someone 
> please point me to the SVN repository for downloading the java source?
>
> Thanks,
>
> Ming
>
> ###################################################################
> CONFIDENTIALITY NOTICE: This communication, including attachments, is 
> intended only for the use of the individual or entity to which it is 
> addressed and may contain information that is privileged, 
> confidential, and exempt from disclosure under applicable law.
> If you are not the intended recipient, you are notified that any use, 
> dissemination, forwarding, distribution, or copying of the 
> communication is strictly prohibited. Please notify the sender 
> immediately by e-mail if you have received this communication by 
> mistake and delete all copies of the original message and attachments 
> from your system.
> ###################################################################
>
>
>
> _______________________________________________
> Owasp-csrfguard mailing list
> Owasp-csrfguard at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-csrfguard
>


###################################################################
CONFIDENTIALITY NOTICE: This communication, including attachments, is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential, and exempt from disclosure under applicable law.
If you are not the intended recipient, you are notified that any use, dissemination, forwarding, distribution, or copying of the communication is strictly prohibited. Please notify the sender immediately by e-mail if you have received this communication by mistake and delete all copies of the original message and attachments from your system.
###################################################################
_______________________________________________
Owasp-csrfguard mailing list
Owasp-csrfguard at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-csrfguard


More information about the Owasp-csrfguard mailing list