<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
        {font-family:Wingdings;
        panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
        {font-family:"Cambria Math";
        panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
        {font-family:Consolas;
        panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0cm;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:#0563C1;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:#954F72;
        text-decoration:underline;}
p
        {mso-style-priority:99;
        mso-margin-top-alt:auto;
        margin-right:0cm;
        mso-margin-bottom-alt:auto;
        margin-left:0cm;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";}
span.EmailStyle18
        {mso-style-type:personal-reply;
        font-family:"Calibri","sans-serif";
        color:#1F497D;}
.MsoChpDefault
        {mso-style-type:export-only;
        font-size:10.0pt;
        font-family:"Calibri","sans-serif";
        mso-fareast-language:EN-US;}
@page WordSection1
        {size:612.0pt 792.0pt;
        margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
        {page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-GB link="#0563C1" vlink="#954F72"><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:EN-US'>Hi Ray, Glad that helped!<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:EN-US'>I’m no expert in CSRFGuard (only started trying it out myself recently as a POC), but when I faced a similar issue I decided that I didn’t really care about protecting images, so what I did was use the:<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:13.5pt'><i><span style='font-size:9.0pt;font-family:Consolas;color:#999988'># Case 2: longest path prefix match, <u>beginning / and ending /*</u></span></i><o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:EN-US'>So in the example you provided, that would be:<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><strong>“/img/*”</strong><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:EN-US'><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:EN-US'>This unprotects all files within the img directory. Another option would be for:<o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:13.5pt'><i><span style='font-size:9.0pt;font-family:Consolas;color:#999988'># Case 3: extension match, <u>beginning *</u>.</span></i><o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:EN-US'>“*.gif” for each img extension type, perhaps useful if you have images in many different locations – though your example suggests otherwise.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:EN-US'>As for leaving the login page unprotected, I don’t think that is a problem (again, im no expert though..) a CSRF attack against a login page would only be able to potentially log a user into the application if valid parameters are supplied in the malicious request and valid users need to be able to access the site via the login screen and they wont have a token when they first visit -  though I’m not familiar with the newtokenlandingpage, which could be the alternative solution for all I know </span><span style='font-size:11.0pt;font-family:Wingdings;color:#1F497D;mso-fareast-language:EN-US'>J</span><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:EN-US'><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:EN-US'>Good luck!<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:EN-US'>Tom<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><b><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>From:</span></b><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif"'> ray@allthisisthat.com [mailto:ray@allthisisthat.com] <br><b>Sent:</b> 16 July 2013 23:30<br><b>To:</b> Tom Barber<br><b>Cc:</b> Clough_Ray_allthisisthat; owasp-csrfguard@lists.owasp.org<br><b>Subject:</b> RE: [Owasp-csrfguard] can't get it to work<o:p></o:p></span></p><p class=MsoNormal><o:p> </o:p></p><p>You Rule!  It does indeed work, but now all my requests for images, css, etc all fail with missing token messages.  I tried adding the config property org.owasp.csrfguard.Ajax=true, but this makes no difference.  I still get a ton of messages like: <strong>Potential Cross-Site Request Forgery (CSRF) attack thwarted (user:<anonymous>, ip:127.0.0.1, uri:/drbms/img/sort_down.gif, error:required token is missing from the request)</strong>.  What am I missing now?  Any ideas?<o:p></o:p></p><p>Also, I am now leaving the login page unprotected, which can't be a very good idea.  Is there a better method using the NewTokenLandingPage?  I still have that config setting, but it never goes there.  Should the NewTokenLandingPage redirect to the login page, or what does it do?  There isn't much discussion of this in the documentation, AFAIK.<o:p></o:p></p><p>Thanks very much for the help so far - there was some danger of me going berserk, which is now receding into the distance.<o:p></o:p></p><p>- Ray Clough<o:p></o:p></p><p> <o:p></o:p></p><p><br>---------------------------- Original Message ----------------------------<br>Subject: RE: [Owasp-csrfguard] can't get it to work<br>From: "Tom Barber" <br>Date: Tue, July 16, 2013 2:30 pm<br>To: <a href="mailto:ray@allthisisthat.com">ray@allthisisthat.com</a><br><a href="mailto:owasp-csrfguard@lists.owasp.org">owasp-csrfguard@lists.owasp.org</a><br>--------------------------------------------------------------------------<br><br>{C} <o:p></o:p></p><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:EN-US'>Hi Ray,</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:EN-US'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:EN-US'>I’m not certain this is the case, but I believe I know the problem. If you look at the comments above the unprotected section of the property files the options it gives you are:</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:EN-US'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:13.5pt'><i><span style='font-size:9.0pt;font-family:Consolas;color:#999988'># Case 1: exact match between request uri and unprotected page</span></i><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:13.5pt'><i><span style='font-size:9.0pt;font-family:Consolas;color:#999988'># Case 2: longest path prefix match, <u>beginning / and ending /*</u></span></i><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:13.5pt'><i><span style='font-size:9.0pt;font-family:Consolas;color:#999988'># Case 3: extension match, <u>beginning *</u>.</span></i><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:13.5pt'><i><span style='font-size:9.0pt;font-family:Consolas;color:#999988'># Default: requested resource must be validated by CSRFGuard</span></i><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:EN-US'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:EN-US'>In your case you seem to have used wildcard in an unsupported manner “/login*” . Perhaps you could specify the exact uri “</span><strong>drbms/login.seam”</strong><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><strong> </strong><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:EN-US'>Let me know if you have any luck.</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:EN-US'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:EN-US'>Thanks</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:EN-US'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:EN-US'>Tom</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:EN-US'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>From:</span></b><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif"'> </span><a href="mailto:owasp-csrfguard-bounces@lists.owasp.org"><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>owasp-csrfguard-bounces@lists.owasp.org</span></a><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif"'> [</span><a href="mailto:owasp-csrfguard-bounces@lists.owasp.org"><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>mailto:owasp-csrfguard-bounces@lists.owasp.org</span></a><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>] <b>On Behalf Of </b></span><a href="mailto:ray@allthisisthat.com"><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>ray@allthisisthat.com</span></a><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif"'><br><b>Sent:</b> 16 July 2013 21:44<br><b>To:</b> </span><a href="mailto:owasp-csrfguard@lists.owasp.org"><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>owasp-csrfguard@lists.owasp.org</span></a><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif"'><br><b>Subject:</b> [Owasp-csrfguard] can't get it to work</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p>I am unable to get the CsrfGuard filter to work.  Regardless of the properties I set, the app tries to go to the login page, and I get this log message:<o:p></o:p></p><p><strong>[Tue Jul 16 13:08:38 PDT 2013] [Error] Potential Cross-Site Request Forgery (CSRF) attack thwarted (user:<anonymous>, ip:127.0.0.1, uri:/drbms/login.seam, error:required token is missing from the request)</strong><o:p></o:p></p><p>Obviously I am doing something wrong.  Here is my configuration file<o:p></o:p></p><p>org.owasp.csrfguard.Logger=org.owasp.csrfguard.log.ConsoleLogger<br>org.owasp.csrfguard.UseNewTokenLandingPage=true<br>org.owasp.csrfguard.NewTokenLandingPage=/NewTokenLandingPage.html<br>org.owasp.csrfguard.TokenPerPage=true<br>org.owasp.csrfguard.TokenPerPagePrecreate=false<br>org.owasp.csrfguard.Ajax=false<br>org.owasp.csrfguard.unprotected.Index=/login*<br>org.owasp.csrfguard.action.Log=org.owasp.csrfguard.action.Log<br>org.owasp.csrfguard.action.Log.Message=Potential Cross-Site Request Forgery (CSRF) attack thwarted (user:%user%, ip:%remote_ip%, uri:%request_uri%, error:%exception_message%)<br>org.owasp.csrfguard.TokenName=OWASP_CSRFTOKEN<br>org.owasp.csrfguard.SessionKey=OWASP_CSRFTOKEN<br>org.owasp.csrfguard.TokenLength=32<br>org.owasp.csrfguard.PRNG=SHA1PRNG<o:p></o:p></p><p>When the server starts, I see the config properties output to the console, so I know the config file is being read correctly.<o:p></o:p></p><p>I have tried various combinations of using a NewTokenLandingPage with the login page protected, and un-protecting the login page but not using a New Token Landing Page.  Also, I have seen no info on what the New Token Landing Page needs to do - If I can ever get it to appear, my guess is that it needs to redirect to the login page.  Is that correct?  Also, all the examples use jsp, not facelets.  Are there any issues with this difference?  I built the project from source using the latest code.<o:p></o:p></p><p>Any help you could offer would be greatly appreciated.<o:p></o:p></p><p> <o:p></o:p></p><p>Thank you,<o:p></o:p></p><p>Ray Clough<o:p></o:p></p><p> <o:p></o:p></p></div></div><p> <o:p></o:p></p></div></body></html>