[Owasp-leaders] OWASP CSRF Guard Project Question

Eric Sheridan eric.sheridan at owasp.org
Wed Nov 14 19:45:46 UTC 2012


Do not use CSRFGuard to protect a web service. CSRFGuard manages state
in the HttpSession object which is usually not available in a strict web
services (sessionless) environment. I'd recommend evaluating a
web-service specific approach, possibly leveraging some CSRFGuard, for
your situation - perhaps adopting the design used to support Ajax where
the token is placed in the header and verified on the server. That way
you won't have to modify your endpoint API. Hope this helps.

Sincerely,
Eric Sheridan
(twitter) @eric_sheridan
(blog) http://ericsheridan.blogspot.com

On 11/14/12 1:07 PM, Jason Li wrote:
> Shanmugaraja,
> 
> Eric Sheridan (CRSF Guard project leader) can speak more authoritatively
> about his project.
> 
> For your question regarding web apps and services in the same
> deployment, my understanding is that you should be able to add the
> service endpoints to the list of unprotected URLs so that the services
> are NOT protected/effected by the CSRF filter.
> 
> If the token is correctly provided, CSRF Guard should retain any content
> type header originally set.
> 
> As I mentioned, the project is intended for web sites. That does not
> mean it won't work for web services - but there is no built-in way to
> provide this token to web service consumers. You would have to build a
> way to provide this token.
> 
> You should also consider the design and functionality of your web
> services to determine whether or not you need a CSRF defense for them.
> 
> -Jason
> 
> On Nov 14, 2012, at 10:54 AM, Shanmugaraja Chellappen - QI-C
> <shanmugaraja.chellappen at gsa.gov
> <mailto:shanmugaraja.chellappen at gsa.gov>> wrote:
> 
>> Hello Jason
>>
>> Thanks a lot for your response.  From your response it is clear that
>> "*The project is meant to protect websites, not web services*".  In
>> that case, Is it not possible to have the CSRF Guard filter for an web
>> application which also have web services.? (I mean one single web.xml
>> have entries for web services in addition normal web application pages). 
>>
>> In our case there is no token is coming as part of SOAP over HTTPS
>> request and the request is coming from the web services consumer.  We
>> have added the endpoint URI of the web services as part of the
>> protected list because there was no way we could get the token from
>> the client application as it was not available for the client.
>>
>> We are not receiving the correct response instead we are receiving the
>> txt/html reponse which is below.
>>
>>
>> <html>
>>    <head>
>>       <title>OWASP CSRFGuard Project - New Token Landing Page</title>
>>    </head>
>>    <body>
>>       <script type="text/javascript">var form =
>> document.createElement("form");
>> form.setAttribute("method", "post");
>> form.setAttribute("action", "<Removed>");
>> var hiddenField = document.createElement("input");
>> hiddenField.setAttribute("type", "hidden");
>> hiddenField.setAttribute("name", "guardValue");
>> hiddenField.setAttribute("value",
>> "3IZB-DOZ8-LXRB-QEPL-5DWU-F94V-LTHE-66E4");
>> form.appendChild(hiddenField);
>> document.body.appendChild(form);
>> form.submit();</script>
>>    </body>
>> </html>
>>
>> We would like to know how to provide the token to Web services
>> consumer. If the consumer provides the token along with the web
>> services request, the CSRF filter will provide a proper
>> response(txt/xml) ? 
>>
>> Or is there any other solutions available. your repose is
>> highly appreciated. If you any more information, Please let me know.
>>
>> Thanks and Regards
>> Shanmugaraja Chellappen
>>
>>
>>
>>
>>
>> On Wed, Nov 14, 2012 at 9:53 AM, Jason Li <jason.li at owasp.org
>> <mailto:jason.li at owasp.org>> wrote:
>>
>>     The issue is not clear from the description of his issue. There
>>     could be many reasons it's not working for him. The project is
>>     meant to protect websites, not web services - as a result, the
>>     primary tools provided by CSRF Guard to include a CSRF token are
>>     geared towards websites. 
>>
>>     It's not clear from the question if the person is receiving a
>>     correct service response but simply with a modified content type
>>     header, or if the response is receiving is due to an error or
>>     landing page created by CSRF Guard. If the service request is not
>>     properly including the CSRF token, the resulting error page will
>>     come back as an text/html response. Another possibility is that
>>     there is a feature to create a landing page for requests without a
>>     CSRF token. That page is not enabled by default, but it most
>>     certainly results in a text/html response.
>>
>>     -Jason
>>
>>     On Wed, Nov 14, 2012 at 9:03 AM, Samantha Groves
>>     <samantha.groves at owasp.org <mailto:samantha.groves at owasp.org>> wrote:
>>
>>         Hello Leaders,
>>
>>         I am hoping you can offer some assistance to Mr. Shanmugaraja.
>>         He has a question regarding the OWASP CSRF Guard Project.
>>         Please refer to the message below:
>>
>>         ----------------
>>         We have a web application in which we are implementing OWASP
>>         CSRF Guard Project. In the same application we have SOAP based
>>         web services. We have the URL of the Web Service Endpoint in
>>         the unprotected list. When the end point is accessed by the
>>         consumer the response is txt/html instead of txt/xml. How
>>         could we handle this? Your response is highly appreciated.
>>         ----------------
>>
>>         Thank you for your assistance with this query, Leaders.
>>
>>
>>         -- 
>>
>>         *Samantha Groves, MBA*____
>>
>>         /OWASP Project Manager/
>>
>>         /
>>         /
>>
>>         The OWASP Foundation
>>
>>         London, United Kingdom
>>
>>         Email: samantha.groves at owasp.org
>>         <mailto:samantha.groves at owasp.org>
>>
>>         Skype: samanthahz 
>>
>>
>>         Book a Meeting with Me <http://goo.gl/mZXdZ>
>>
>>         OWASP Contact US Form <http://owasp4.owasp.org/contactus.html>
>>
>>         New Project Application Form
>>         <https://docs.google.com/a/owasp.org/spreadsheet/viewform?formkey=dHZfWGhHZ0Z4UFFwZU42djBXcVVLSlE6MQ#gid=0>
>>
>>
>>
>>
>>
>>         _______________________________________________
>>         OWASP-Leaders mailing list
>>         OWASP-Leaders at lists.owasp.org
>>         <mailto:OWASP-Leaders at lists.owasp.org>
>>         https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>>


More information about the OWASP-Leaders mailing list