问题
I am trying to incorporate the CSRFGuard library(< org.owasp csrfguard 3.1.0 >) in order to rectify some CSRF vulnerabilities in an application. However after configuring as specified here I am now getting the below message:
Here I would like to explain scenario when I am getting this message - For suppose my application landing page like this
And code snippet for this page(HelloWorld.jsp) is
<%@ page language="java" contentType="text/html; charset=ISO-8859-1"
pageEncoding="ISO-8859-1"%>
<%@ taglib uri="csrfguard.tld" prefix="csrf" %>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Insert title here</title>
<script>
function getParameterByName(name, url) {
if (!url) {
url = window.location.href;
}
name = name.replace(/[\[\]]/g, "\\$&");
var regex = new RegExp("[?&]" + name + "(=([^&#]*)|&|#|$)"),
results = regex.exec(url);
if (!results) return null;
if (!results[2]) return '';
return decodeURIComponent(results[2].replace(/\+/g, " "));
}
function changePage(form){
var selectedIndex = form.selectedPage.selectedIndex;
var selectedValue = form.selectedPage.options[selectedIndex].value;
var csrftoken = getParameterByName("OWASP_CSRFTOKEN", form.action);
if (selectedValue == 'A') {
form.action = "A.html?OWASP_CSRFTOKEN="+csrftoken;
}
if (selectedValue == 'LA') {
form.action = "helloWorld.do?OWASP_CSRFTOKEN="+csrftoken;
}
form.submit();
};
</script>
</head>
<body>
<h3>Select request page from this dropdown</h3>
<form name="test" method="post" action="" id="LAP">
<select name="selectedPage" class="pageSelection" >
<option value="LA" selected>Landing Page</option>
<option value="A">A page</option>
</select>
<input type="button" name="adding" value="Go" onClick="changePage(this.form);"/>
<!--<input type="submit" name="adding" value="submit"/>-->
</form>
</body>
<script src="JavaScriptServlet"></script>
</html>And now I am trying to navigate to page A.html using dropdown selection of landing page. The page looks to be
Now here what I have notice is new token is not getting generate to action attribute of form tag of A.html page. The Same token(If we see OWASP_CSRFTOKEN=KJZ7-7YXP-DWN5-5NVX-5PB7-TNXG-YLAJ-D2XJ) whatever has on landing page is getting attach to action attribute of form tag of A.html page. The code snippet of A.html page is
<!DOCTYPE html>
<html>
<head>
<meta charset="ISO-8859-1">
<title>A page</title>
<script>
function getParameterByName(name, url) {
if (!url) {
url = window.location.href;
}
name = name.replace(/[\[\]]/g, "\\$&");
var regex = new RegExp("[?&]" + name + "(=([^&#]*)|&|#|$)"),
results = regex.exec(url);
if (!results) return null;
if (!results[2]) return '';
return decodeURIComponent(results[2].replace(/\+/g, " "));
}
function changePage(form){
var selectedIndex = form.selectedPage.selectedIndex;
var selectedValue = form.selectedPage.options[selectedIndex].value;
var csrftoken = getParameterByName("OWASP_CSRFTOKEN", form.action);
if (selectedValue == 'A') {
form.action = "A.html?OWASP_CSRFTOKEN="+csrftoken;
}
if (selectedValue == 'LA') {
form.action = "helloWorld.do?OWASP_CSRFTOKEN="+csrftoken;
}
form.submit();
};
</script>
</head>
<body>
<h1>A Page</h1>
<h3>Select request page from this dropdown</h3>
<form name="test" method="post" action="" id="LAP">
<select name="selectedPage" class="pageSelection" >
<option value="LA">Landing Page</option>
<option value="A" selected>A page</option>
</select>
<input type="button" name="adding" value="Go" onClick="changePage(this.form);"/>
</form>
</body>
<script src="JavaScriptServlet"></script>
</html>Now I am going to landing page from A.html page by using selection dropdown & again try to reach out A.html page by using dropdown selection of landing page then I am getting this error message on tomcat server console
"WARNING: potential cross-site request forgery (CSRF) attack thwarted (user:, ip:0:0:0:0:0:0:0:1, method:POST, uri:/csrfguard-test-3.1.0-SNAPSHOT/A.html, error:request token does not match page token)"
Here I am unable to understand what I'm doing wrong here.
Please help me as its very important to implement in my actual application & please let me know if any additional information would make it easier to understand. Thanks in advance.
Few other configuration details I am adding as below. Its my web.xml file
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" id="WebApp_ID" version="2.5">
<display-name>OWASP CSRFGuard Test</display-name>
<welcome-file-list>
<welcome-file>index.html</welcome-file>
<welcome-file>index.htm</welcome-file>
<welcome-file>index.jsp</welcome-file>
<welcome-file>default.html</welcome-file>
<welcome-file>default.htm</welcome-file>
<welcome-file>default.jsp</welcome-file>
</welcome-file-list>
<listener>
<listener-class>org.owasp.csrfguard.CsrfGuardServletContextListener</listener-class>
</listener>
<listener>
<listener-class>org.owasp.csrfguard.CsrfGuardHttpSessionListener</listener-class>
</listener>
<filter>
<filter-name>CSRFGuard</filter-name>
<filter-class>org.owasp.csrfguard.CsrfGuardFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CSRFGuard</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<servlet>
<servlet-name>JavaScriptServlet</servlet-name>
<servlet-class>org.owasp.csrfguard.servlet.JavaScriptServlet</servlet-class>
<init-param>
<param-name>inject-into-attributes</param-name>
<param-value>true</param-value>
</init-param>
<!--<init-param>
<param-name>inject-into-forms</param-name>
<param-value>true</param-value>
</init-param>-->
<init-param>
<param-name>source-file</param-name>
<param-value>/script/csrfguard.js</param-value>
</init-param>
</servlet>
<servlet-mapping>
<servlet-name>JavaScriptServlet</servlet-name>
<url-pattern>/JavaScriptServlet</url-pattern>
</servlet-mapping>
<servlet>
<description></description>
<display-name>HelloServlet</display-name>
<servlet-name>HelloServlet</servlet-name>
<servlet-class>org.owasp.csrfguard.test.HelloServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>HelloServlet</servlet-name>
<url-pattern>/HelloServlet</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>action</servlet-name>
<servlet-class>
org.apache.struts.action.ActionServlet
</servlet-class>
<init-param>
<param-name>config</param-name>
<param-value>
/WEB-INF/struts-config.xml
</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>action</servlet-name>
<url-pattern>*.do</url-pattern>
</servlet-mapping>
</web-app>And its my pom.xml
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>com</groupId>
<artifactId>csrfgaurdapp</artifactId>
<packaging>war</packaging>
<version>0.0.1-SNAPSHOT</version>
<name>csrfgaurdapp Maven Webapp</name>
<url>http://maven.apache.org</url>
<dependencies>
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
<version>3.8.1</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>servlet-api</artifactId>
<version>2.5</version>
</dependency>
<dependency>
<groupId>javax.servlet.jsp</groupId>
<artifactId>jsp-api</artifactId>
<version>2.1</version>
</dependency>
<dependency>
<groupId>org.owasp</groupId>
<artifactId>csrfguard</artifactId>
<version>3.1.0</version>
</dependency>
<dependency>
<groupId>org.apache.struts</groupId>
<artifactId>struts-core</artifactId>
<version>1.3.10</version>
</dependency>
<dependency>
<groupId>org.apache.struts</groupId>
<artifactId>struts-taglib</artifactId>
<version>1.3.10</version>
</dependency>
</dependencies>
<build>
<finalName>csrfgaurdapp</finalName>
</build>
</project>来源:https://stackoverflow.com/questions/42095851/csrfguard-request-token-does-not-match-page-token-how-can-generate-token-per