[Owasp-csrfguard] Double Refresh for every request

Chris Hyzer mchyzer at isc.upenn.edu
Sun Oct 20 15:22:15 UTC 2013


Not sure if anyone else is having problems with this message from last year.  I have this problem.  I am using dojo, and I can reproduce it on chrome on windows, and other browsers / OSs...

It seems like the CSRFGuard javascript is adding the token to scripts, css, and images in the page, and browser is making dual requests, and re-rendering the page.

I think ideally, if a URL pattern is ignored in the config, the Javascript should ignore urls or hrefs of that pattern as well.  However, the simple solution for me is to just ignore those tags in the javascript since I don't want any CSS or javascript (or images) protected by csrfguard.

So change the CSRF javascript:

FROM:   (line 340)

        /** inject into attribute **/
      } else if(%INJECT_ATTRIBUTES% == true) {
        injectTokenAttribute(element, "src", tokenName, tokenValue, pageTokens);
        injectTokenAttribute(element, "href", tokenName, tokenValue, pageTokens);
      }

TO:

        /** inject into attribute **/
      } else if(%INJECT_ATTRIBUTES% == true) {
        if(element.tagName.toLowerCase() != "script" && element.tagName.toLowerCase() != "link" && element.tagName.toLowerCase() != "img") {
          injectTokenAttribute(element, "src", tokenName, tokenValue, pageTokens);
          injectTokenAttribute(element, "href", tokenName, tokenValue, pageTokens);
        }
      }



This fixes the problem... any chance we could get this or something like it into GIT for CSRFGuard?  Either this, or an option to do this (true/false), or code the javascript to honor the ignores in the config file...

Thanks,
Chris

[Owasp-csrfguard] Double Refresh for every request
Mehdi Bennani mehdibennani at hotmail.com <mailto:owasp-csrfguard%40lists.owasp.org?Subject=Re%3A%20%5BOwasp-csrfguard%5D%20Double%20Refresh%20for%20every%20request&In-Reply-To=%3CSNT134-W58088A860BD9D732E5FB9FC3190%40phx.gbl%3E>
Thu May 17 15:31:37 UTC 2012

  *   Previous message: [Owasp-csrfguard] source code for 3.0.0.503 release<http://lists.owasp.org/pipermail/owasp-csrfguard/2012-May/000143.html>
  *   Messages sorted by: [ date ]<http://lists.owasp.org/pipermail/owasp-csrfguard/2012-May/date.html#144> [ thread ]<http://lists.owasp.org/pipermail/owasp-csrfguard/2012-May/thread.html#144> [ subject ]<http://lists.owasp.org/pipermail/owasp-csrfguard/2012-May/subject.html#144> [ author ]<http://lists.owasp.org/pipermail/owasp-csrfguard/2012-May/author.html#144>

________________________________
Hi You guys,

I  have just set up CSRF guard to work with my strut2-spring  project. I have 2 issues:

1- For every request, all my resources are requested twice. I.e: all the css, images, etc...are requested twice, once without the OWASP token and once with the token.
In fact, a quick inspection through firebug reveals the following timeline:
- A bunch of GETs are issues (my resources) (without the OWASP token)
  Among them, a GET to OWASP JavaScriptServlet
- Then at some point, a POST to JavaScriptServlet is sent out
- Then a slew of Gets (the same ones as before, i.e: my resources) this time with the ?OWASP_CSRFTOKEN=... appended to each GET

Is this how is it supposed to be working?? I must have configured something wrong....
I mean even I would like to disregard the performance loss related to the double requests, my site is loads funny now, as it loads without the CSS/JS at first (so looks pretty much ugly), then a split of a second later, the site is refreshed and everything is there. It is slow enough that we can notice it.

2- When I login, it fails with a 403. I checked my form submission and it does not seem to contain the OWASP_CSRTOKEN. Hence the 403...

Any help is appreciated,

Here is my config:

org.owasp.csrfguard.Logger=org.owasp.csrfguard.log.ConsoleLogger
org.owasp.csrfguard.TokenPerPage=true
org.owasp.csrfguard.Ajax=true

org.owasp.csrfguard.unprotected.DefaultHome=/localhost/home
org.owasp.csrfguard.unprotected.403=/localhost/403.jsp
org.owasp.csrfguard.unprotected.404=/localhost/404.jsp

org.owasp.csrfguard.action.Log=org.owasp.csrfguard.action.Log
org.owasp.csrfguard.action.Log.Message=potential cross-site request forgery (CSRF) attack thwarted (user:%user%, ip:%remote_ip%, uri:%request_uri%, error:%exception_message%)
org.owasp.csrfguard.action.Redirect=org.owasp.csrfguard.action.Redirect
org.owasp.csrfguard.action.Redirect.Page=/localhost/403.jsp
org.owasp.csrfguard.action.Rotate=org.owasp.csrfguard.action.Rotate

org.owasp.csrfguard.TokenName=OWASP_CSRFTOKEN
org.owasp.csrfguard.SessionKey=OWASP_CSRFTOKEN
org.owasp.csrfguard.TokenLength=32
org.owasp.csrfguard.PRNG=SHA1PRNG

And JavaScriptServlet

   <servlet>
       <servlet-name>JavaScriptServlet</servlet-name>
       <servlet-class>org.owasp.csrfguard.servlet.JavaScriptServlet</servlet-class>
         <init-param>
            <param-name>source-file</param-name>
            <param-value>WEB-INF/Owasp.CsrfGuard.js</param-value>
         </init-param>
         <init-param>
            <param-name>inject-into-forms</param-name>
            <param-value>true</param-value>
         </init-param>
         <init-param>
            <param-name>inject-into-attributes</param-name>
            <param-value>true</param-value>
         </init-param>
         <init-param>
            <param-name>domain-strict</param-name>
            <param-value>false</param-value>
         </init-param>
         <init-param>
            <param-name>referer-pattern</param-name>
            <param-value>.*localhost.*</param-value>
         </init-param>
    </servlet>
    <servlet-mapping>
           <servlet-name>JavaScriptServlet</servlet-name>
           <url-pattern>/JavaScriptServlet</url-pattern>
    </servlet-mapping>

Elextra/
-------------- next part --------------
An HTML attachment was scrubbed...

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-csrfguard/attachments/20131020/399beba3/attachment-0001.html>


More information about the Owasp-csrfguard mailing list