CSRFGuard - request token does not match page token & How can generate token per session

情到浓时终转凉″ 提交于 2020-01-07 06:48:20

问题


I am trying to incorporate the CSRFGuard library(< org.owasp csrfguard 3.1.0 >) in order to rectify some CSRF vulnerabilities in an application. However after configuring as specified here I am now getting the below message:

Here I would like to explain scenario when I am getting this message - For suppose my application landing page like this

And code snippet for this page(HelloWorld.jsp) is

<%@ page language="java" contentType="text/html; charset=ISO-8859-1"
	pageEncoding="ISO-8859-1"%>
<%@ taglib uri="csrfguard.tld" prefix="csrf" %>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Insert title here</title>
<script>
function getParameterByName(name, url) {
    if (!url) {
      url = window.location.href;
    }
    name = name.replace(/[\[\]]/g, "\\$&");
    var regex = new RegExp("[?&]" + name + "(=([^&#]*)|&|#|$)"),
        results = regex.exec(url);
    if (!results) return null;
    if (!results[2]) return '';
    return decodeURIComponent(results[2].replace(/\+/g, " "));
}
function changePage(form){
	var selectedIndex = form.selectedPage.selectedIndex;
    	var selectedValue = form.selectedPage.options[selectedIndex].value;
		var csrftoken = getParameterByName("OWASP_CSRFTOKEN", form.action);
		if (selectedValue == 'A') {
			form.action = "A.html?OWASP_CSRFTOKEN="+csrftoken;
		}
		if (selectedValue == 'LA') {
			form.action = "helloWorld.do?OWASP_CSRFTOKEN="+csrftoken;
		}
	 form.submit();
};
</script>
</head>
<body>
	<h3>Select request page from this dropdown</h3>
	<form name="test" method="post" action="" id="LAP">
		<select name="selectedPage" class="pageSelection" >
		        <option  value="LA" selected>Landing Page</option>
       			<option  value="A">A page</option>
		</select>
		<input type="button" name="adding" value="Go" onClick="changePage(this.form);"/>
		<!--<input type="submit" name="adding" value="submit"/>-->
	</form>
	
</body>
<script src="JavaScriptServlet"></script>
</html>

And now I am trying to navigate to page A.html using dropdown selection of landing page. The page looks to be

Now here what I have notice is new token is not getting generate to action attribute of form tag of A.html page. The Same token(If we see OWASP_CSRFTOKEN=KJZ7-7YXP-DWN5-5NVX-5PB7-TNXG-YLAJ-D2XJ) whatever has on landing page is getting attach to action attribute of form tag of A.html page. The code snippet of A.html page is

<!DOCTYPE html>
<html>
<head>
<meta charset="ISO-8859-1">
<title>A page</title>
<script>
function getParameterByName(name, url) {
    if (!url) {
      url = window.location.href;
    }
    name = name.replace(/[\[\]]/g, "\\$&");
    var regex = new RegExp("[?&]" + name + "(=([^&#]*)|&|#|$)"),
        results = regex.exec(url);
    if (!results) return null;
    if (!results[2]) return '';
    return decodeURIComponent(results[2].replace(/\+/g, " "));
}
function changePage(form){
	var selectedIndex = form.selectedPage.selectedIndex;
    	var selectedValue = form.selectedPage.options[selectedIndex].value;
		var csrftoken = getParameterByName("OWASP_CSRFTOKEN", form.action);
		if (selectedValue == 'A') {
			form.action = "A.html?OWASP_CSRFTOKEN="+csrftoken;
		}
		if (selectedValue == 'LA') {
			form.action = "helloWorld.do?OWASP_CSRFTOKEN="+csrftoken;
		}
	 form.submit();
};
</script>
</head>
<body>
 <h1>A Page</h1>
	<h3>Select request page from this dropdown</h3>
	<form name="test" method="post" action="" id="LAP">
		<select name="selectedPage" class="pageSelection" >
		        <option  value="LA">Landing Page</option>
       			<option  value="A" selected>A page</option>
		</select>
		<input type="button" name="adding" value="Go" onClick="changePage(this.form);"/>
		
	</form>

</body>
<script src="JavaScriptServlet"></script>
</html>

Now I am going to landing page from A.html page by using selection dropdown & again try to reach out A.html page by using dropdown selection of landing page then I am getting this error message on tomcat server console

"WARNING: potential cross-site request forgery (CSRF) attack thwarted (user:, ip:0:0:0:0:0:0:0:1, method:POST, uri:/csrfguard-test-3.1.0-SNAPSHOT/A.html, error:request token does not match page token)"

Here I am unable to understand what I'm doing wrong here.

Please help me as its very important to implement in my actual application & please let me know if any additional information would make it easier to understand. Thanks in advance.

Few other configuration details I am adding as below. Its my web.xml file

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" id="WebApp_ID" version="2.5">
	<display-name>OWASP CSRFGuard Test</display-name>
	
	<welcome-file-list>
		<welcome-file>index.html</welcome-file>
		<welcome-file>index.htm</welcome-file>
		<welcome-file>index.jsp</welcome-file>
		<welcome-file>default.html</welcome-file>
		<welcome-file>default.htm</welcome-file>
		<welcome-file>default.jsp</welcome-file>
	</welcome-file-list>
	
	<listener>
		<listener-class>org.owasp.csrfguard.CsrfGuardServletContextListener</listener-class>
	</listener>
	<listener>
		<listener-class>org.owasp.csrfguard.CsrfGuardHttpSessionListener</listener-class>
	</listener>
	
	<filter>
		<filter-name>CSRFGuard</filter-name>
		<filter-class>org.owasp.csrfguard.CsrfGuardFilter</filter-class>
	</filter>
	
	<filter-mapping>
		<filter-name>CSRFGuard</filter-name>
		<url-pattern>/*</url-pattern>
	</filter-mapping>

	<servlet>
		<servlet-name>JavaScriptServlet</servlet-name>
		<servlet-class>org.owasp.csrfguard.servlet.JavaScriptServlet</servlet-class>
		<init-param>
			<param-name>inject-into-attributes</param-name>
			<param-value>true</param-value>
		</init-param>
		<!--<init-param>
			<param-name>inject-into-forms</param-name>
			<param-value>true</param-value>
		</init-param>-->
		<init-param>
			<param-name>source-file</param-name>
			<param-value>/script/csrfguard.js</param-value>
		</init-param>
	</servlet>

	<servlet-mapping>
		<servlet-name>JavaScriptServlet</servlet-name>
		<url-pattern>/JavaScriptServlet</url-pattern>
	</servlet-mapping>

	<servlet>
		<description></description>
		<display-name>HelloServlet</display-name>
		<servlet-name>HelloServlet</servlet-name>
		<servlet-class>org.owasp.csrfguard.test.HelloServlet</servlet-class>
	</servlet>
	
	<servlet-mapping>
		<servlet-name>HelloServlet</servlet-name>
		<url-pattern>/HelloServlet</url-pattern>
	</servlet-mapping>
	
	<servlet>
		<servlet-name>action</servlet-name>
		<servlet-class>
			org.apache.struts.action.ActionServlet
		</servlet-class>
		<init-param>
			<param-name>config</param-name>
			<param-value>
				/WEB-INF/struts-config.xml
			</param-value>
		</init-param>
		<load-on-startup>1</load-on-startup>
	</servlet>
	
	<servlet-mapping>
		<servlet-name>action</servlet-name>
		<url-pattern>*.do</url-pattern>
	</servlet-mapping>
</web-app>

And its my pom.xml

<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
	<modelVersion>4.0.0</modelVersion>
	<groupId>com</groupId>
	<artifactId>csrfgaurdapp</artifactId>
	<packaging>war</packaging>
	<version>0.0.1-SNAPSHOT</version>
	<name>csrfgaurdapp Maven Webapp</name>
	<url>http://maven.apache.org</url>
	<dependencies>
		<dependency>
			<groupId>junit</groupId>
			<artifactId>junit</artifactId>
			<version>3.8.1</version>
			<scope>test</scope>
		</dependency>
		<dependency>
			<groupId>javax.servlet</groupId>
			<artifactId>servlet-api</artifactId>
			<version>2.5</version>
		</dependency>
		<dependency>
			<groupId>javax.servlet.jsp</groupId>
			<artifactId>jsp-api</artifactId>
			<version>2.1</version>
		</dependency>
		<dependency>
			<groupId>org.owasp</groupId>
			<artifactId>csrfguard</artifactId>
			<version>3.1.0</version>
		</dependency>
		<dependency>
			<groupId>org.apache.struts</groupId>
			<artifactId>struts-core</artifactId>
			<version>1.3.10</version>
		</dependency>

		<dependency>
			<groupId>org.apache.struts</groupId>
			<artifactId>struts-taglib</artifactId>
			<version>1.3.10</version>
		</dependency>
	
	</dependencies>
	<build>
		<finalName>csrfgaurdapp</finalName>
	</build>
</project>

来源:https://stackoverflow.com/questions/42095851/csrfguard-request-token-does-not-match-page-token-how-can-generate-token-per

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!