[Owasp-csrfguard] Community Question regarding OWASP-CSRF

Azzeddine Ramrami azzeddine.ramrami at owasp.org
Tue Apr 8 19:14:38 UTC 2014


Thanks Sarah.

I will take this request for further analysis. Help form other leaders or
users of CSRF-Guard is welcome.
Just to be clear I will work on this issue as volunteer, this mean I will
do my best to solve this issue if I can reproduce it.
Some questions:
- Witch version of CSRF-Guard is used.
- Witch Application Server is used.
- Browser name and version.

Regards,
Azzeddine




On Tue, Apr 8, 2014 at 5:23 PM, Sarah Baso <sarah.baso at owasp.org> wrote:

> Azzeddine and others -
>
> We received this question through our community "contact us" form - can
> you help with responding?  The submitter is cc'ed.
>
>
>
>
> *We have secured our public website using OWASP - CSRF guard and
> configured TokenPerPage=true. We use JSF 2.0 (myfaces) for our front-end
> development.  Every thing works good as expected except when we use JSF
> <f:ajax>. When we submit an ajax request from a page, the ajax request is
> successful but the subsequent Http Request fails with a message ("potential
> cross-site request forgery (CSRF) attack thwarted (user:<anonymous>%,
> ip:x.x.x.x, uri:/ppr/secured/xxxx.faces, error:request token does not match
> page token)").  *
>
>
> *Below is our speculation : - In JSF the URL displayed in the browser
> address bar is always the previous page's url ( as JSF 'POST' forwards the
> request). And ajax request uses the current page's url. May be the ajax
> request overrides the token.  We are not sure if this could cause any
> issues with token tracking - but we just want to hint you our speculation
> and get your suggestion/guidance to fix this issue.*
>
>
> Thanks in advance,
> Sarah Baso
> --
> Executive Director
> OWASP Foundation
>
> sarah.baso at owasp.org
> +1.312.869.2779
>
>
>
>
>


-- 
Azzeddine RAMRAMI
+33 6 65 48 90 04.
Enterprise Security Architect
OWASP Leader (Morocco Chapter)
Mozilla Security Projects Mentor
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-csrfguard/attachments/20140408/00629843/attachment.html>


More information about the Owasp-csrfguard mailing list