[Owasp-csrfguard] Community Question regarding OWASP-CSRF

Chris Hyzer mchyzer at isc.upenn.edu
Tue Apr 8 19:21:02 UTC 2014

Just curious... CSRF guard will parse a page and add/edit some DOM elements so that the token is passed back and forth.  But after an Ajax request, when new page elements (links, forms) are potentially added, will CSRF guard decorate these so that the token is passed?  Or does a Javascript function need to be called after ajax changed the page so that new elements are decorated?  When you get the error, can you see the network tab in a browser developer tools plugin to see if a token is even being passed at all?  Does it work if you don't have token per page?


From: owasp-csrfguard-bounces at lists.owasp.org [mailto:owasp-csrfguard-bounces at lists.owasp.org] On Behalf Of Sarah Baso
Sent: Tuesday, April 08, 2014 3:16 PM
To: Azzeddine Ramrami; ranjith.sundarajchandras at its.ny.gov
Cc: owasp-csrfguard at lists.owasp.org
Subject: Re: [Owasp-csrfguard] Community Question regarding OWASP-CSRF


Ranjith - can you provide a bit more information as Azzeddine has requested?


On Tue, Apr 8, 2014 at 12:14 PM, Azzeddine Ramrami <azzeddine.ramrami at owasp.org<mailto:azzeddine.ramrami at owasp.org>> wrote:
Thanks Sarah.

I will take this request for further analysis. Help form other leaders or users of CSRF-Guard is welcome.
Just to be clear I will work on this issue as volunteer, this mean I will do my best to solve this issue if I can reproduce it.
Some questions:
- Witch version of CSRF-Guard is used.
- Witch Application Server is used.
- Browser name and version.

On Tue, Apr 8, 2014 at 5:23 PM, Sarah Baso <sarah.baso at owasp.org<mailto:sarah.baso at owasp.org>> wrote:
Azzeddine and others -

We received this question through our community "contact us" form - can you help with responding?  The submitter is cc'ed.

We have secured our public website using OWASP - CSRF guard and configured TokenPerPage=true. We use JSF 2.0 (myfaces) for our front-end development.
Every thing works good as expected except when we use JSF <f:ajax>. When we submit an ajax request from a page, the ajax request is successful but the subsequent Http Request fails with a message ("potential cross-site request forgery (CSRF) attack thwarted (user:<anonymous>%, ip:x.x.x.x, uri:/ppr/secured/xxxx.faces, error:request token does not match page token)").
Below is our speculation :
- In JSF the URL displayed in the browser address bar is always the previous page's url ( as JSF 'POST' forwards the request). And ajax request uses the current page's url. May be the ajax request overrides the token.
We are not sure if this could cause any issues with token tracking - but we just want to hint you our speculation and get your suggestion/guidance to fix this issue.

Thanks in advance,
Sarah Baso
Executive Director
OWASP Foundation

sarah.baso at owasp.org<mailto:sarah.baso at owasp.org>

Azzeddine RAMRAMI
+33 6 65 48 90 04<tel:%2B33%206%2065%2048%2090%2004>.
Enterprise Security Architect
OWASP Leader (Morocco Chapter)
Mozilla Security Projects Mentor

Executive Director
OWASP Foundation

sarah.baso at owasp.org<mailto:sarah.baso at owasp.org>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-csrfguard/attachments/20140408/f3b1de66/attachment-0001.html>

More information about the Owasp-csrfguard mailing list