[Owasp-csrfguard] Getting csrfguard 3.1 to work with struts 1.1 fowards, has anyone gotten it to work?
Mon Aug 10 20:48:33 UTC 2015
I did some searching on all the archives for struts before posting, I will search for "forward" next
We are trying to add csrfguard 3.1 to a very large, legacy (spaghetti) web app, (actually many, but focusing on 1 for now)
We are using struts 1.1 , weblogic 12.1.3 etc
I'm able to get happy path for a fairly complex CRUD flow with a combo of unprotected urls, as well as turning off token per page and token rotate properties
, which is in essence, just another session token , OWASP_CSRFTOKEN, which is similar to JSESSIONID and struts token and can be forged is similar matter. We need a per page token or rotating token to
After some careful analysis on (what looks like) the latest and greatest source https://github.com/aramrami/OWASP-CSRFGuard
The problem is with the struts forward and flow is as follows:
openIwin("createSomeEntityForward.do?<csrf:token uri="createSomeEntityForward.do"/>", "Create Organization");
2. CSRFGuard Filter (using token per page ) validates/allows the the 1st request uri createSomeEntityForward
3. But when Filter intercepts 2nd forwarded path "/WEB-INF/jsp/.../createEntity.jsp"/> The token in the request is not found in the csrfguard uri/token map so it checks against the session token which fails
4. I also tried turning off token per page and turned on token rotate, the session token got updated, but the orig request has the now, stale token
5. If there was some other normal (non csrf) validation, like a missing field, it would be forwarded to yet another page which would also break
Re-writing the webapp is not an option at this time, nor is upgrading to more modern version of struts
2. When the csrfguard filter now picks up the inbound request, it validates each request, regardless if forward
1. Somehow get a handle to the orig request, the .do request, then change the CSRFGuard.verifyPageToken() method to check the URI/Token map for both the forwarded URI (.jsp) OR the orig URI (.do) for a match
We are open to other ideas as well?
Here's a snippet of struts-config.xml (names fudged a bit)
<action path="/createSomeEntityForward" input="/WEB-INF/jsp/.../index.jsp" scope="request" type="com.........portal.action.SecurityForwardAction" validate="false">
<forward name="failure" path="/WEB-INF/jsp/.../index.jsp"/>
<forward name="success" path="/WEB-INF/jsp/...createEntity.jsp"/>
These are some of the the relevant session attributes
Thanks in advance for your time
This e-mail is intended solely for the person or entity to which it is addressed and may contain confidential and/or privileged information. Any review, dissemination, copying, printing or other use of this e-mail by persons or entities other than the addressee is prohibited. If you have received this e-mail in error, please contact the sender immediately and delete the material from any computer.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-csrfguard