Friday 24 April 2015

OWASP - CSRFGuard 3.0


Overview

Used to eliminate cross site request forgery issue in web application

Implementation

1) Add CSRF library dependency in pom.xml
2) Add CSRF filters and listeners in web.xml
3) Add CSRF properties file in resources folder (class path)
4) Add taglib and CSRF token for forms in jsp file
5) Add script in case of ajax call jsp file

Step 1

 Add CSRF library dependency in pom.xml to get Owasp.CsrfGuard.jar file in application's classpath

 <dependency>
<groupId>org.owasp</groupId>
<artifactId>csrfguard</artifactId>
<version>3.0.0</version>
</dependency>

Step 2

Add CSRF filters and listeners in web.xml.
To enable CSRF Ajax support copy Owasp.CsrfGuard.js from jar to WEB-INF folder

<listener>
<listener-class>org.owasp.csrfguard.CsrfGuardServletContextListener</listener-class>
   </listener>
   <listener>
<listener-class>org.owasp.csrfguard.CsrfGuardHttpSessionListener</listener-class>
   </listener>
   <context-param>
<param-name>Owasp.CsrfGuard.Config</param-name>
<param-value>WEB-INF/Owasp.CsrfGuard.properties</param-value>
   </context-param>
   <context-param>
<param-name>Owasp.CsrfGuard.Config.Print</param-name>
<param-value>true</param-value>
   </context-param>
 
<filter>
<filter-name>CSRFGuard</filter-name>
<filter-class>org.owasp.csrfguard.CsrfGuardFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CSRFGuard</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>

<!-- For CSRF Ajax support-->
<servlet>
<servlet-name>JavaScriptServlet</servlet-name>
<servlet-class>org.owasp.csrfguard.servlet.JavaScriptServlet</servlet-class>
<init-param>
<param-name>source-file</param-name>
<param-value>WEB-INF/Owasp.CsrfGuard.js</param-value>
</init-param>
<init-param>
<param-name>inject-into-forms</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>inject-into-attributes</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>domain-strict</param-name>
<param-value>false</param-value>
</init-param>
<init-param>
<param-name>referer-pattern</param-name>
<param-value>.*localhost.*</param-value>
</init-param>
</servlet>

<servlet-mapping>
<servlet-name>JavaScriptServlet</servlet-name>
<url-pattern>/JavaScriptServlet</url-pattern>
</servlet-mapping>

Step 3

Add CSRF properties file to resources folder and configure parameters.
Reference : https://www.owasp.org/index.php/CSRFGuard_3_Configuration

 org.owasp.csrfguard.Logger=org.owasp.csrfguard.log.ConsoleLogger
 org.owasp.csrfguard.ProtoctedMethod=POST,PUT,DELETE
 org.owasp.csrfguard.TokenPerPage=true
 org.owasp.csrfguard.Rotate=false
 org.owasp.csrfguard.Ajax=true
 org.owasp.csrfguard.action.Log=org.owasp.csrfguard.action.Log
 org.owasp.csrfguard.Log.Message=potential cross-site request forgery attack thwarted(user %user%, ip %remote_ip%)
 org.owasp.csrfguard.Redirect=org.owasp.csrfguard.action.Redirect
 org.owasp.csrfguard.TokenName=OWASP_CSRFTOKEN
 org.owasp.csrfguard.SessionKey=OWASP_CSRFTOKEN
 org.owasp.csrfguard.TokenLength=32
 org.owasp.csrfguard.PRNG=SHA1PRNG
 org.owasp.csrfguard.Protect=true
 org.owasp.csrfguard.unprotected.index=/contectpath/error.jsp

Step 4

Add taglib and CSRF token for forms in jsp file.
Reference : https://www.owasp.org/index.php/CSRFGuard_3_Token_Injection

<%@ taglib uri="http://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project/Owasp.CsrfGuard.tld" prefix="csrf" %>

 <form name="test1" action="protect.html">
     <input type="text" name="text" value="text"/>
     <input type="submit" name="submit" value="submit"/>
     <input type="hidden" name="<csrf:token-name/>" value="<csrf:token-value/>"/>
</form>


Step 5

Add script in case of ajax call jsp file. In this case no need to add taglib and hidden token to form as using script.

<script src="/contextpath/JavaScriptServlet"></script>

 Reference 

 https://cwe.mitre.org/data/definitions/352.html
 https://www.owasp.org/index.php/CSRFGuard_3_User_Manual
Posted by at

6 comments:

  1. Sandy25 November 2015 at 01:19

    why do we need to explicitly add csrftoken hidden field in the page. It get automatically embedded in the page when we call /JavaScriptServlet.

    ReplyDelete
    Replies
    1. Unknown4 December 2015 at 08:31

      This comment has been removed by the author.

      Delete
    2. Unknown4 December 2015 at 08:39

      This can probably help you to understand things in depth,
      https://www.owasp.org/index.php/CSRFGuard_3_Token_Injection

      Delete
  2. Unknown6 December 2015 at 06:55

    This comment has been removed by the author.

    ReplyDelete
  3. Unknown6 December 2015 at 07:00

    hey, I am getting this "java.lang.IllegalStateException: must define 'uri' attribute when token per page is enabled". why? Pleae help.. I dont know what does this mean!!

    ReplyDelete
  4. Unknown6 December 2015 at 09:54

    check this https://www.owasp.org/index.php/CSRFGuard_3_Configuration refer subtopic on page "Actions: Responding to Attacks"

    ReplyDelete

Subscribe to: Post Comments (Atom)