[Owasp-csrfguard] Query on CSRFGuard and usage in IBM Websphere 6.1

Erwin, Christy L Christy.L.Erwin at boeing.com
Tue Jan 7 20:10:17 UTC 2014


Hello Ragha,

I recently implemented CSRFGuard in an application using IBM WebSphere 8.0. There are some changes that need to be made to the code in order to get it to work with the WebSphere server. I found that the Installation Guide and other documentation on the OWASP site does not address this.

In particular, in the csrfguard.properties file, I had to change the org.owasp.csrfguard.PRNG property
From: org.owasp.csrfguard.PRNG =SHA1PRNG
To: org.owasp.csrfguard.PRNG=IBMSecureRandom 

And in the CsrfGuard.java file, defaults are hard-coded for the following two values, which have to be changed for WebSphere servers
From: org.owasp.csrfguard.PRNG=SHA1PRNG
To: org.owasp.csrfguard.PRNG=IBMSecureRandom
---
From: org.owasp.csrfguard.PRNG.Provider=SUN 
To: org.owasp.csrfguard.PRNG.Provider=IBMJCE
---

Because of the change to the .java file, the code had to be recompiled. The OWASP CSRFGuard Install Guide shows how to list the CSRFGuardListener class in its example web.xml file. And the CSRFGuard.jar file on my company's application security web site contains this class file. But I was not able to find this java code anywhere. So instead, I used the CsrfGuardServletContextListener and CsrfGuardHttpSessionListener classes, and put them in my web.xml as follows:
    <listener>
       <listener-class>org.owasp.csrfguard.CsrfGuardServletContextListener</listener-class>
    </listener>
    <listener>
       <listener-class>org.owasp.csrfguard.CsrfGuardHttpSessionListener</listener-class>
    </listener>

I would think that it would be possible to put both properties in csrfguard.properties and forgo the recompile of the Java code, but I didn't try this myself. It would look like this:
org.owasp.csrfguard.PRNG=IBMSecureRandom
org.owasp.csrfguard.PRNG.Provider=IBMJCE

This is where info is on these properties for WebSphere:
http://files.jscape.com/secureftpserver/docs/index.html?running_under_ibm_jvm.htm

Since I only needed to protect a couple pages in the application I worked on, I found it much simpler to use the provided JSP Tag Library, csrfguard.tld, and insert tokens into specific links. For me, this was preferable to using the default JavaScript token injection, which for my application, which has many links and older and faulty JavaScript code, surfaced a lot of previously unseen JS errors.

Feel free to contact me if you have additional questions about CSRFGuard in WebSphere.

Christa Erwin 
Programmer/Analyst, Boeing Enterprise Supplier Tools (BEST) 
Mon-Thurs, 8:00 - 4:30 pm
Work: 425-234-5942
Cell: 206-427-1787 

-----Original Message-----
From: owasp-csrfguard-bounces at lists.owasp.org [mailto:owasp-csrfguard-bounces at lists.owasp.org] On Behalf Of owasp-csrfguard-request at lists.owasp.org
Sent: Thursday, December 26, 2013 4:00 AM
To: owasp-csrfguard at lists.owasp.org
Subject: Owasp-csrfguard Digest, Vol 40, Issue 1

Send Owasp-csrfguard mailing list submissions to
	owasp-csrfguard at lists.owasp.org

To subscribe or unsubscribe via the World Wide Web, visit
	https://lists.owasp.org/mailman/listinfo/owasp-csrfguard
or, via email, send a message with subject or body 'help' to
	owasp-csrfguard-request at lists.owasp.org

You can reach the person managing the list at
	owasp-csrfguard-owner at lists.owasp.org

When replying, please edit your Subject line so it is more specific than "Re: Contents of Owasp-csrfguard digest..."


Today's Topics:

   1. Query on CSRFGuard and usage in IBM Websphere 6.1 (Raghu Vedu)
   2. Re: Query on CSRFGuard and usage in IBM Websphere	6.1
      (Azzeddine Ramrami)


----------------------------------------------------------------------

Message: 1
Date: 26 Dec 2013 04:58:27 -0000
From: "Raghu Vedu" <vedeshwar777 at rediffmail.com>
To: "owasp-csrfguard at lists.owasp.org"
	<owasp-csrfguard at lists.owasp.org>
Subject: [Owasp-csrfguard] Query on CSRFGuard and usage in IBM
	Websphere 6.1
Message-ID: <20131226045827.26979.qmail at f4mail-235-197.rediffmail.com>
Content-Type: text/plain; charset="utf-8"



Hi,
 
I am trying to use the source from https://github.com/esheri3/OWASP-CSRFGuard and my need is to use the library in web application using IBM Websphere 6.1 server.
 
I am seeing it is written for Maven, so please let me know if IBM websphere based project is also available.
 
I am bit new to this, so please let me know the feasibility of using the CSRFguard in IBM server.
 
Thanks
Ragha
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-csrfguard/attachments/20131226/9a1ded72/attachment-0001.html>

------------------------------

Message: 2
Date: Thu, 26 Dec 2013 09:08:24 +0100
From: Azzeddine Ramrami <azzeddine.ramrami at owasp.org>
To: Raghu Vedu <vedeshwar777 at rediffmail.com>
Cc: "owasp-csrfguard at lists.owasp.org"
	<owasp-csrfguard at lists.owasp.org>
Subject: Re: [Owasp-csrfguard] Query on CSRFGuard and usage in IBM
	Websphere	6.1
Message-ID:
	<CAL4seLGp93CD61jEh8HTYxmBZiN3yqG871Jwf+xz9qO8G2Sz9A at mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"

Dear Sir,
I ma the Leader of this project.
You can use the CSRFGuard library with IBM WS as JavaEE filter.

OWASP CSRFGuard utilizes request tokens to address Cross-Site Request Forgery.  CSRF is an attack where the victim is tricked into interacting with a website where they are already authenticated.
CSRFGuard Provides code to generate unique request tokens to mitigate CSRF risks.

You can integrate the source code using you own method (if you don't use Maven).

The following link show how to integrate CSRFGuard with you application :

https://www.owasp.org/index.php/CSRFGuard_3_Installation

If you have any question contact me.
Regards,
Azzeddine RAMRAMI



On Thu, Dec 26, 2013 at 5:58 AM, Raghu Vedu <vedeshwar777 at rediffmail.com>wrote:

>
>
>  Hi,
>
>
>
> I am trying to use the source from
> https://github.com/esheri3/OWASP-CSRFGuard<https://mail.cognizant.com/
> owa/redir.aspx?C=gctwdUlqRE6Dy9yipRCHDBaTrkSO1dAITOgP44EdTmawQQ3YMLYMT
> Ok3pVLoRqRK1yF4wY8ha-4.&URL=https%3a%2f%2fgithub.com%2fesheri3%2fOWASP
> -CSRFGuard>and my need is to use the library in web application using 
> IBM Websphere
> 6.1 server.
>
>
>
> I am seeing it is written for Maven, so please let me know if IBM 
> websphere based project is also available.
>
>
>
> I am bit new to this, so please let me know the feasibility of using 
> the CSRFguard in IBM server.
>
>
>
> Thanks
>
> Ragha
>
>
> <http://sigads.rediff.com/RealMedia/ads/click_nx.ads/www.rediffmail.co
> m/signatureline.htm at Middle?> Get your own *FREE* website, *FREE* 
> domain & *FREE* mobile app with Company email.
> *Know More 
> >*<http://track.rediff.com/click?url=___http://businessemail.rediff.co
> m/company-email-hosting-services?sc_cid=sign-1-10-13___&cmp=host&lnk=s
> ign-1-10-13&nsrv1=host> 
> _______________________________________________
> Owasp-csrfguard mailing list
> Owasp-csrfguard at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-csrfguard
>
>


--
Azzeddine RAMRAMI
+33 6 65 48 90 04.
Enterprise Security Architect
OWASP Leader (Morocco Chapter)
Mozilla Security Projects Mentor
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-csrfguard/attachments/20131226/a1922fc9/attachment-0001.html>

------------------------------

_______________________________________________
Owasp-csrfguard mailing list
Owasp-csrfguard at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-csrfguard


End of Owasp-csrfguard Digest, Vol 40, Issue 1
**********************************************


More information about the Owasp-csrfguard mailing list