[Owasp-csrfguard] Community Question regarding OWASP-CSRF

Azzeddine Ramrami azzeddine.ramrami at owasp.org
Tue Apr 8 19:57:50 UTC 2014


Here is what I test in IBM WAS 8.0:


In particular, in the csrfguard.properties file, I had to change the
org.owasp.csrfguard.PRNG property

From: org.owasp.csrfguard.PRNG =SHA1PRNG
To: org.owasp.csrfguard.PRNG=IBMSecureRandom

And in the CsrfGuard.java file, defaults are hard-coded for the following
two values, which have to be changed for WebSphere servers

From: org.owasp.csrfguard.PRNG=SHA1PRNG
To: org.owasp.csrfguard.PRNG=IBMSecureRandom
---
From: org.owasp.csrfguard.PRNG.Provider=SUN
To: org.owasp.csrfguard.PRNG.Provider=IBMJCE
---

Because of the change to the .java file, the code had to be recompiled. The
OWASP CSRFGuard Install Guide shows how to list the CSRFGuardListener class
in its example web.xml file. And the CSRFGuard.jar file on my company's
application security web site contains this class file. But I was not able
to find this java code anywhere. So instead, I used the
CsrfGuardServletContextListener and CsrfGuardHttpSessionListener classes,
and put them in my web.xml as follows:

    <listener>

<listener-class>org.owasp.csrfguard.CsrfGuardServletContextListener</listener-class>
    </listener>
    <listener>

<listener-class>org.owasp.csrfguard.CsrfGuardHttpSessionListener</listener-class>
    </listener>

It would be possible to put both properties in csrfguard.properties and
forgo the recompile of the Java code, like this:
org.owasp.csrfguard.PRNG=IBMSecureRandom
org.owasp.csrfguard.PRNG.Provider=IBMJCE




On Tue, Apr 8, 2014 at 7:46 PM, <john.m.allen at thomsonreuters.com> wrote:

>  I'm not sure if this answers your question, Chris, but if you've
> downloaded the source, take a look at
>
> ...\csrfguard\src\main\resources\csrfguard.js
>
> about line 392.  That was the only place I found that it fetches and
> injects the token.
>
>
>
> (Caution:  I think the "if(%INJECT_XHR% == true)" closing brace is
> misplaced, too far down.  It makes it work only if Ajax is enabled.)
>
>
>
> John
>
>
>
>
>
> *From:* owasp-csrfguard-bounces at lists.owasp.org [mailto:
> owasp-csrfguard-bounces at lists.owasp.org] *On Behalf Of *Chris Hyzer
> *Sent:* Tuesday, April 08, 2014 2:21 PM
> *To:* Sarah Baso; Azzeddine Ramrami; ranjith.sundarajchandras at its.ny.gov
>
> *Cc:* owasp-csrfguard at lists.owasp.org
> *Subject:* Re: [Owasp-csrfguard] Community Question regarding OWASP-CSRF
>
>
>
> Just curious... CSRF guard will parse a page and add/edit some DOM elements
> so that the token is passed back and forth.  But after an Ajax request,
> when new page elements (links, forms) are potentially added, will CSRF
> guard decorate these so that the token is passed?  Or does a Javascript
> function need to be called after ajax changed the page so that new elements
> are decorated?  When you get the error, can you see the network tab in a
> browser developer tools plugin to see if a token is even being passed at
> all?  Does it work if you don't have token per page?
>
>
>
> Thanks,
>
> Chris
>
>
>
> *From:* owasp-csrfguard-bounces at lists.owasp.org [mailto:
> owasp-csrfguard-bounces at lists.owasp.org] *On Behalf Of *Sarah Baso
> *Sent:* Tuesday, April 08, 2014 3:16 PM
> *To:* Azzeddine Ramrami; ranjith.sundarajchandras at its.ny.gov
> *Cc:* owasp-csrfguard at lists.owasp.org
> *Subject:* Re: [Owasp-csrfguard] Community Question regarding OWASP-CSRF
>
>
>
> Thanks!
>
>
>
> Ranjith - can you provide a bit more information as Azzeddine has
> requested?
>
>
>
> Sarah
>
>
>
> On Tue, Apr 8, 2014 at 12:14 PM, Azzeddine Ramrami <
> azzeddine.ramrami at owasp.org> wrote:
>
> Thanks Sarah.
>
>
> I will take this request for further analysis. Help form other leaders or
> users of CSRF-Guard is welcome.
> Just to be clear I will work on this issue as volunteer, this mean I will
> do my best to solve this issue if I can reproduce it.
> Some questions:
> - Witch version of CSRF-Guard is used.
> - Witch Application Server is used.
> - Browser name and version.
>
> Regards,
> Azzeddine
>
>
>
>
>
>
>
> On Tue, Apr 8, 2014 at 5:23 PM, Sarah Baso <sarah.baso at owasp.org> wrote:
>
> Azzeddine and others -
>
>
>
> We received this question through our community "contact us" form - can
> you help with responding?  The submitter is cc'ed.
>
>
>
>
> *We have secured our public website using OWASP - CSRF guard and
> configured TokenPerPage=true. We use JSF 2.0 (myfaces) for our front-end
> development.  Every thing works good as expected except when we use JSF
> <f:ajax>. When we submit an ajax request from a page, the ajax request is
> successful but the subsequent Http Request fails with a message ("potential
> cross-site request forgery (CSRF) attack thwarted (user:<anonymous>%,
> ip:x.x.x.x, uri:/ppr/secured/xxxx.faces, error:request token does not match
> page token)"). *
>
>
>
> *Below is our speculation : - In JSF the URL displayed in the browser
> address bar is always the previous page's url ( as JSF 'POST' forwards the
> request). And ajax request uses the current page's url. May be the ajax
> request overrides the token.  We are not sure if this could cause any
> issues with token tracking - but we just want to hint you our speculation
> and get your suggestion/guidance to fix this issue.*
>
>
>
>
>
> Thanks in advance,
>
> Sarah Baso
> --
>
> Executive Director
>
> OWASP Foundation
>
>
>
> sarah.baso at owasp.org
> +1.312.869.2779
>
>
>
>
>   --
>
> Azzeddine RAMRAMI
> +33 6 65 48 90 04.
> Enterprise Security Architect
> OWASP Leader (Morocco Chapter)
>
> Mozilla Security Projects Mentor
>
>
>
>
>
> --
>
> Executive Director
>
> OWASP Foundation
>
>
>
> sarah.baso at owasp.org
> +1.312.869.2779
>
>
>


-- 
Azzeddine RAMRAMI
+33 6 65 48 90 04.
Enterprise Security Architect
OWASP Leader (Morocco Chapter)
Mozilla Security Projects Mentor
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-csrfguard/attachments/20140408/e70ea979/attachment.html>


More information about the Owasp-csrfguard mailing list