CSRFGuard - request token does not match session token

Question

I am trying to incorporate the CSRFGuard library in order to rectify some CSRF vulnerabilties in an application. However after configuring as specified here I am now getting the below messages in the log, when I navigate the application:

WARNING: potential cross-site request forgery (CSRF) attack thwarted (user:<anonymous>, ip:169.xx.x.xxx, uri:/myapp/MyAction, error:request token does not match session token)

Through including the:

<script src="/sui/JavaScriptServlet"></script>

On my main.jsp page the links have all been built incorporating the CSRFGuard token, e.g.

......./myapp/MyAction?CSRFTOKEN=BNY8-3H84-6SRR-RJXM-KMCH-KLLD-1W45-M18N

So I am unable to understand what I'm doing wrong that could cause the links to pass a token other than the expected value.

Please let me know if any additional information would make it easier to understand.

Answer 1

In case anyone stumbles across a similar issue:

Turned out that accessing the app using IE wasn't passing a token to an AJAX call, this would in turn result in the tokens being refreshed but the links in the already rendered page remained, causing the mismatch when clicked.

Found out the issue by building CSRFGuard myself from source and adding extra logging.

Answer 2

The primefaces commandlink and commandbutton seem to cause the csrfguard javascript to malfunction, if you have use these two component with ajax set to true (which is the default), it can prevent the token being injected after the ajax call

Answer 3

One of the possible fixes is to change the following 2 lines in Owasp.CsrfGuard.js file.

Change

 function injectTokenForm(form, tokenName, tokenValue, pageTokens) {
    var action = form.attribute("action");

To

 function injectTokenForm(form, tokenName, tokenValue, pageTokens) {
    var action = form.attributes["action"].value;

AND

Change

 function injectTokenAttribute(element, attr, tokenName, tokenValue, pageTokens) {

    location = element.getAttribute(attr);

To

 function injectTokenAttribute(element, attr, tokenName, tokenValue, pageTokens) {
    var location = null;
    if (attr == "action") {
        location = element.attributes[attr].value;

    } else {
        location = element.getAttribute(attr);
    }