[Owasp-csrfguard] Community Question regarding OWASP-CSRF

Sarah Baso sarah.baso at owasp.org
Tue Apr 8 19:16:20 UTC 2014


Thanks!

Ranjith - can you provide a bit more information as Azzeddine has requested?

Sarah


On Tue, Apr 8, 2014 at 12:14 PM, Azzeddine Ramrami <
azzeddine.ramrami at owasp.org> wrote:

> Thanks Sarah.
>
> I will take this request for further analysis. Help form other leaders or
> users of CSRF-Guard is welcome.
> Just to be clear I will work on this issue as volunteer, this mean I will
> do my best to solve this issue if I can reproduce it.
> Some questions:
> - Witch version of CSRF-Guard is used.
> - Witch Application Server is used.
> - Browser name and version.
>
> Regards,
> Azzeddine
>
>
>
>
> On Tue, Apr 8, 2014 at 5:23 PM, Sarah Baso <sarah.baso at owasp.org> wrote:
>
>> Azzeddine and others -
>>
>> We received this question through our community "contact us" form - can
>> you help with responding?  The submitter is cc'ed.
>>
>>
>>
>>
>> *We have secured our public website using OWASP - CSRF guard and
>> configured TokenPerPage=true. We use JSF 2.0 (myfaces) for our front-end
>> development.  Every thing works good as expected except when we use JSF
>> <f:ajax>. When we submit an ajax request from a page, the ajax request is
>> successful but the subsequent Http Request fails with a message ("potential
>> cross-site request forgery (CSRF) attack thwarted (user:<anonymous>%,
>> ip:x.x.x.x, uri:/ppr/secured/xxxx.faces, error:request token does not match
>> page token)").  *
>>
>>
>> *Below is our speculation : - In JSF the URL displayed in the browser
>> address bar is always the previous page's url ( as JSF 'POST' forwards the
>> request). And ajax request uses the current page's url. May be the ajax
>> request overrides the token.  We are not sure if this could cause any
>> issues with token tracking - but we just want to hint you our speculation
>> and get your suggestion/guidance to fix this issue.*
>>
>>
>> Thanks in advance,
>> Sarah Baso
>> --
>> Executive Director
>> OWASP Foundation
>>
>> sarah.baso at owasp.org
>> +1.312.869.2779
>>
>>
>>
>>
>>
>
>
> --
> Azzeddine RAMRAMI
> +33 6 65 48 90 04.
> Enterprise Security Architect
> OWASP Leader (Morocco Chapter)
> Mozilla Security Projects Mentor
>



-- 
Executive Director
OWASP Foundation

sarah.baso at owasp.org
+1.312.869.2779
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-csrfguard/attachments/20140408/6a847272/attachment.html>


More information about the Owasp-csrfguard mailing list