[Owasp-csrfguard] Problem in using CSRF 3

apinninti . ajay.pinninti at gmail.com
Sun Oct 6 05:17:31 UTC 2013


Hi,

I am started using CSRF for one of the projects and I am facing few
problems. we are using websphere with Struts 1.3 and SSL enabled.I am able
to configure CSRF, but the issues are

1. Web pages contains tab, click on tab will get submitted to same page and
I am having problem with Page Token. since Same action class get called
CSRF returning a exception "request token does not match page token". How
to fix this problem.
2. I have jsp page contains a text field order no lookup page with search
button. these buttons we declared as unprotected pages. by declaring these
pages as unprotected, we are allowing some one can create dummy request for
these pages and able to do Request Forgery, How can we fix this problem.

please help me in resolving these problem.

Thanks

Ajay Pinninti


On Sun, Oct 6, 2013 at 10:44 AM, apinninti . <ajay.pinninti at gmail.com>wrote:

> Hi,
>
> I am started using CSRF for one of the projects and I am facing few
> problems. we are using websphere with Struts 1.3 and SSL enabled.I am able
> to configure CSRF, but the issues are
>
> 1. Web pages contains tab, click on tab will get submitted to same page
> and I am having problem with Page Token. since Same action class get called
> CSRF returning a exception "request token does not match page token". How
> to fix this problem.
> 2. I have jsp page contains a text field order no lookup page with search
> button. these buttons we declared as unprotected pages. by declaring these
> pages as unprotected, we are allowing some one can create dummy request for
> these pages and able to do Request Forgery, How can we fix this problem.
>
> please help me in resolving these problem.
>
> Thanks
>
> Ajay Pinninti
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-csrfguard/attachments/20131006/9d0e1672/attachment.html>


More information about the Owasp-csrfguard mailing list