[Owasp-csrfguard] Community Question regarding OWASP-CSRF

Azzeddine Ramrami azzeddine.ramrami at owasp.org
Tue Apr 8 19:46:56 UTC 2014


Is this possible for you to use the version 3.1 we correct some issues and
bugs.

I assisted some people to setup v3.1 on IBM WAS 7 and they succeed to run
CSRF-Guard?

I will study your request but I cannot give you a closed date because I am
very busy with my actual mission.

Just to be honnest the support is a volonteer support based on my free time.
Thanks.
Azzeddine


On Tue, Apr 8, 2014 at 7:40 PM, SundarajChandras, Ranjith (ITS) <
Ranjith.SundarajChandras at its.ny.gov> wrote:

>  Hi Azzeddine,
>
> Thanks for taking this up !
>
>
>
> Find below my response in blue.
>
> - Which version of CSRF-Guard is used.
>
> Version 3
> - Which Application Server is used.
>
> IBM Websphere Application Server v7
>
> - Browser name and version.
>
> Was able to reproduce in most browsers I use (IE8,9, Chrome , Firefox 28)
>
>
>
> FYR - I raised this question in couple of forums. I have included the http
> request, response flow captured using Fiddler there.
>
>
>
>
> http://stackoverflow.com/questions/22617634/owasp-csrf-token-with-jsf-ajax-request
>
>
> http://myowasp.ning.com/forum/topics/problem-in-using-owasp-csrf-guard-with-jsf-f-ajax-request
>
>
>
> Let me know if you need more details.
>
>
>
> Thanks,
>
> Ranjith
>
>
>
> *From:* Azzeddine Ramrami [mailto:azzeddine.ramrami at owasp.org]
> *Sent:* Tuesday, April 08, 2014 3:15 PM
> *To:* Sarah Baso
> *Cc:* owasp-csrfguard at lists.owasp.org; SundarajChandras, Ranjith (ITS)
> *Subject:* Re: Community Question regarding OWASP-CSRF
>
>
>
> Thanks Sarah.
>
>
> I will take this request for further analysis. Help form other leaders or
> users of CSRF-Guard is welcome.
> Just to be clear I will work on this issue as volunteer, this mean I will
> do my best to solve this issue if I can reproduce it.
> Some questions:
> - Witch version of CSRF-Guard is used.
> - Witch Application Server is used.
> - Browser name and version.
>
> Regards,
> Azzeddine
>
>
>
>
>
>
>
> On Tue, Apr 8, 2014 at 5:23 PM, Sarah Baso <sarah.baso at owasp.org> wrote:
>
> Azzeddine and others -
>
>
>
> We received this question through our community "contact us" form - can
> you help with responding?  The submitter is cc'ed.
>
>
>
>
> *We have secured our public website using OWASP - CSRF guard and
> configured TokenPerPage=true. We use JSF 2.0 (myfaces) for our front-end
> development.  Every thing works good as expected except when we use JSF
> <f:ajax>. When we submit an ajax request from a page, the ajax request is
> successful but the subsequent Http Request fails with a message ("potential
> cross-site request forgery (CSRF) attack thwarted (user:<anonymous>%,
> ip:x.x.x.x, uri:/ppr/secured/xxxx.faces, error:request token does not match
> page token)"). *
>
>
>
> *Below is our speculation : - In JSF the URL displayed in the browser
> address bar is always the previous page's url ( as JSF 'POST' forwards the
> request). And ajax request uses the current page's url. May be the ajax
> request overrides the token.  We are not sure if this could cause any
> issues with token tracking - but we just want to hint you our speculation
> and get your suggestion/guidance to fix this issue.*
>
>
>
>
>
> Thanks in advance,
>
> Sarah Baso
> --
>
> Executive Director
>
> OWASP Foundation
>
>
>
> sarah.baso at owasp.org
> +1.312.869.2779
>
>
>
>
>
>
> --
>
> Azzeddine RAMRAMI
> +33 6 65 48 90 04.
> Enterprise Security Architect
> OWASP Leader (Morocco Chapter)
>
> Mozilla Security Projects Mentor
>



-- 
Azzeddine RAMRAMI
+33 6 65 48 90 04.
Enterprise Security Architect
OWASP Leader (Morocco Chapter)
Mozilla Security Projects Mentor
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-csrfguard/attachments/20140408/9c2b59ba/attachment.html>


More information about the Owasp-csrfguard mailing list