[Owasp-csrfguard] first request is not protected?

Patrick Radtke pradtke at stanford.edu
Tue Oct 1 21:15:09 UTC 2013


I know in your original email you stated the app was sessionless. Where 
are you storing the CSRFGuard session data? In our Single sign on 
scenarios we create the session prior to the CsrfGuardFilter filter 
running, so this hadn't been an issue.




On 10/1/13 12:17 PM, Chris Hyzer wrote:
> Not sure if this is the culprit... but I don't really understand it: (from CsrfGuardFilter)
>
> 			if (session == null) {
> 				// If there is no session, no harm can be done
> 				filterChain.doFilter(httpRequest, (HttpServletResponse) response);
> 				return;
> 			}
>
> Isnt it possible a request to come not from an existing session that would be single-signed on with a cookie, and authenticated, authorized, and perform the action?  Seems like this shouldn't pass through, but should be checked by csrfguard (even if it is an option to do so for people who want it).  I guess this assumes the Java session timeout is exactly the same or greater than the authentication timeout.  At Penn that is not the case.  You could be timed out from the Java app, but the single sign on cookie will get you right back in without redirect or user-input, I think this is a gap.  Another use case is you have a bunch of apps on one apache, you are logged in to one, the single sign on cookie is valid, but you have no session on another, it would be vulnerable to CSRF.
>
> Thanks,
> Chris
>
>
> -----Original Message-----
> From: Chris Hyzer
> Sent: Tuesday, October 01, 2013 1:11 AM
> To: owasp-csrfguard at lists.owasp.org
> Subject: first request is not protected?
>
> I have a protected URL: /whatever, and the first request can go through CSRFguard, but subsequent requests cannot (they go to the error page).  Shouldn't the first request by default be protected unless that page is allowed in the properties file?  Is there a setting I can change to make the first request be protected?  Granted I understand that users will need to login, but I would prefer if all requests to protected resources are protected unless the CSRF token is there.  I tried this setting and it didn't seem to work...
>
>
> # New Token Redirect Page
> #
> # Defines where to send a user if the token is being generated for the first time.
> # Failure to define a redirect page will allow CSRF attacks to work for unauthenticated
> # users
> org.owasp.csrfguard.NewTokenRedirectPage=/myApp/assets/html/csrfError.html
>
> Thanks,
> Chris
> _______________________________________________
> Owasp-csrfguard mailing list
> Owasp-csrfguard at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-csrfguard
>



More information about the Owasp-csrfguard mailing list