[Owasp-csrfguard] Owasp-csrfguard Digest, Vol 38, Issue 6

Chris Hyzer mchyzer at isc.upenn.edu
Fri Oct 25 05:12:13 UTC 2013


I was using the latest chrome on windows 7, though I believe my colleague was on a mac.

I had HTML that had dojo, and some CSS and images, and the browser would request the resource, then URL rewriting from CSRFguard would take place and change the link or src, and the request would happen again.

Thanks,
Chris

-----Original Message-----
From: Manish Java [mailto:manish.in.java at gmail.com] 
Sent: Thursday, October 24, 2013 11:39 PM
To: Chris Hyzer
Cc: owasp-csrfguard at lists.owasp.org
Subject: RE: Owasp-csrfguard Digest, Vol 38, Issue 6

Hi Chris

I will take a look at this issue and let you know of my findings.  In the
meantime, could you help me by providing the following information:

1. Which OS is the problem seen on?
2. Which browser and version is the problem seen on?
3. Steps to reproduce the problem.

Cheers
~ Manish

----------------------------------------------------------------------

Message: 1
Date: Sun, 20 Oct 2013 15:22:15 +0000
From: Chris Hyzer <mchyzer at isc.upenn.edu>
To: "owasp-csrfguard at lists.owasp.org"
	<owasp-csrfguard at lists.owasp.org>
Subject: [Owasp-csrfguard] Double Refresh for every request
Message-ID:
	
<04BE669BEE19E54BBDC2A9A2585BB6886CE6AC63 at exch-mbx01.exchange.upenn.edu>
	
Content-Type: text/plain; charset="us-ascii"

Not sure if anyone else is having problems with this message from last year.
I have this problem.  I am using dojo, and I can reproduce it on chrome on
windows, and other browsers / OSs...

It seems like the CSRFGuard javascript is adding the token to scripts, css,
and images in the page, and browser is making dual requests, and
re-rendering the page.

I think ideally, if a URL pattern is ignored in the config, the Javascript
should ignore urls or hrefs of that pattern as well.  However, the simple
solution for me is to just ignore those tags in the javascript since I don't
want any CSS or javascript (or images) protected by csrfguard.

So change the CSRF javascript:

FROM:   (line 340)

        /** inject into attribute **/
      } else if(%INJECT_ATTRIBUTES% == true) {
        injectTokenAttribute(element, "src", tokenName, tokenValue,
pageTokens);
        injectTokenAttribute(element, "href", tokenName, tokenValue,
pageTokens);
      }

TO:

        /** inject into attribute **/
      } else if(%INJECT_ATTRIBUTES% == true) {
        if(element.tagName.toLowerCase() != "script" &&
element.tagName.toLowerCase() != "link" && element.tagName.toLowerCase() !=
"img") {
          injectTokenAttribute(element, "src", tokenName, tokenValue,
pageTokens);
          injectTokenAttribute(element, "href", tokenName, tokenValue,
pageTokens);
        }
      }



This fixes the problem... any chance we could get this or something like it
into GIT for CSRFGuard?  Either this, or an option to do this (true/false),
or code the javascript to honor the ignores in the config file...

Thanks,
Chris

[Owasp-csrfguard] Double Refresh for every request Mehdi Bennani
mehdibennani at hotmail.com
<mailto:owasp-csrfguard%40lists.owasp.org?Subject=Re%3A%20%5BOwasp-csrfguard
%5D%20Double%20Refresh%20for%20every%20request&In-Reply-To=%3CSNT134-W58088A
860BD9D732E5FB9FC3190%40phx.gbl%3E>
Thu May 17 15:31:37 UTC 2012

  *   Previous message: [Owasp-csrfguard] source code for 3.0.0.503
release<http://lists.owasp.org/pipermail/owasp-csrfguard/2012-May/000143.htm
l>
  *   Messages sorted by: [ date
]<http://lists.owasp.org/pipermail/owasp-csrfguard/2012-May/date.html#144> [
thread
]<http://lists.owasp.org/pipermail/owasp-csrfguard/2012-May/thread.html#144>
[ subject
]<http://lists.owasp.org/pipermail/owasp-csrfguard/2012-May/subject.html#144
> [ author
]<http://lists.owasp.org/pipermail/owasp-csrfguard/2012-May/author.html#144>

________________________________
Hi You guys,

I  have just set up CSRF guard to work with my strut2-spring  project. I
have 2 issues:

1- For every request, all my resources are requested twice. I.e: all the
css, images, etc...are requested twice, once without the OWASP token and
once with the token.
In fact, a quick inspection through firebug reveals the following timeline:
- A bunch of GETs are issues (my resources) (without the OWASP token)
  Among them, a GET to OWASP JavaScriptServlet
- Then at some point, a POST to JavaScriptServlet is sent out
- Then a slew of Gets (the same ones as before, i.e: my resources) this time
with the ?OWASP_CSRFTOKEN=... appended to each GET

Is this how is it supposed to be working?? I must have configured something
wrong....
I mean even I would like to disregard the performance loss related to the
double requests, my site is loads funny now, as it loads without the CSS/JS
at first (so looks pretty much ugly), then a split of a second later, the
site is refreshed and everything is there. It is slow enough that we can
notice it.

2- When I login, it fails with a 403. I checked my form submission and it
does not seem to contain the OWASP_CSRTOKEN. Hence the 403...

Any help is appreciated,

Here is my config:

org.owasp.csrfguard.Logger=org.owasp.csrfguard.log.ConsoleLogger
org.owasp.csrfguard.TokenPerPage=true
org.owasp.csrfguard.Ajax=true

org.owasp.csrfguard.unprotected.DefaultHome=/localhost/home
org.owasp.csrfguard.unprotected.403=/localhost/403.jsp
org.owasp.csrfguard.unprotected.404=/localhost/404.jsp

org.owasp.csrfguard.action.Log=org.owasp.csrfguard.action.Log
org.owasp.csrfguard.action.Log.Message=potential cross-site request forgery
(CSRF) attack thwarted (user:%user%, ip:%remote_ip%, uri:%request_uri%,
error:%exception_message%)
org.owasp.csrfguard.action.Redirect=org.owasp.csrfguard.action.Redirect
org.owasp.csrfguard.action.Redirect.Page=/localhost/403.jsp
org.owasp.csrfguard.action.Rotate=org.owasp.csrfguard.action.Rotate

org.owasp.csrfguard.TokenName=OWASP_CSRFTOKEN
org.owasp.csrfguard.SessionKey=OWASP_CSRFTOKEN
org.owasp.csrfguard.TokenLength=32
org.owasp.csrfguard.PRNG=SHA1PRNG

And JavaScriptServlet

   <servlet>
       <servlet-name>JavaScriptServlet</servlet-name>
 
<servlet-class>org.owasp.csrfguard.servlet.JavaScriptServlet</servlet-class>
         <init-param>
            <param-name>source-file</param-name>
            <param-value>WEB-INF/Owasp.CsrfGuard.js</param-value>
         </init-param>
         <init-param>
            <param-name>inject-into-forms</param-name>
            <param-value>true</param-value>
         </init-param>
         <init-param>
            <param-name>inject-into-attributes</param-name>
            <param-value>true</param-value>
         </init-param>
         <init-param>
            <param-name>domain-strict</param-name>
            <param-value>false</param-value>
         </init-param>
         <init-param>
            <param-name>referer-pattern</param-name>
            <param-value>.*localhost.*</param-value>
         </init-param>
    </servlet>
    <servlet-mapping>
           <servlet-name>JavaScriptServlet</servlet-name>
           <url-pattern>/JavaScriptServlet</url-pattern>
    </servlet-mapping>

Elextra/
-------------- next part --------------
An HTML attachment was scrubbed...

-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.owasp.org/pipermail/owasp-csrfguard/attachments/20131020/399be
ba3/attachment.html>

------------------------------

_______________________________________________
Owasp-csrfguard mailing list
Owasp-csrfguard at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-csrfguard


End of Owasp-csrfguard Digest, Vol 38, Issue 6
**********************************************



More information about the Owasp-csrfguard mailing list