[Owasp-csrfguard] CSRFGuard treats non-ajax request as ajax request

Veeraswami Ramineni (veramine) veramine at cisco.com
Thu Mar 19 10:05:34 UTC 2015


Hi,

Issue:
CSRFGuard treats non-ajax request as ajax request when there is "X-Requested-With" header present in the request.

https://github.com/aramrami/OWASP-CSRFGuard/issues/1
We are also facing same issue in a different scenario.

Scenario:
In chrome recent versions, "X-Requested-With"  header is added to the requests which are sent from flash/ flex related code.
CSRFGuard misidentifying this as ajax request and treating request as invalid as security token is not present in header.

Setup:
CSRFGuard 3.0.0.503
Java based web application.

Is there any workaround available for above mentioned issue?
Please let me know your suggestions.

Thanks in advance.
-Veera

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-csrfguard/attachments/20150319/59cfd7fd/attachment.html>


More information about the Owasp-csrfguard mailing list