Friday 24 April 2015

OWASP - CSRFGuard 3.0


Overview

Used to eliminate cross site request forgery issue in web application

Implementation

1) Add CSRF library dependency in pom.xml
2) Add CSRF filters and listeners in web.xml
3) Add CSRF properties file in resources folder (class path)
4) Add taglib and CSRF token for forms in jsp file
5) Add script in case of ajax call jsp file

Step 1

 Add CSRF library dependency in pom.xml to get Owasp.CsrfGuard.jar file in application's classpath

 <dependency>
<groupId>org.owasp</groupId>
<artifactId>csrfguard</artifactId>
<version>3.0.0</version>
</dependency>

Step 2

Add CSRF filters and listeners in web.xml.
To enable CSRF Ajax support copy Owasp.CsrfGuard.js from jar to WEB-INF folder

<listener>
<listener-class>org.owasp.csrfguard.CsrfGuardServletContextListener</listener-class>
   </listener>
   <listener>
<listener-class>org.owasp.csrfguard.CsrfGuardHttpSessionListener</listener-class>
   </listener>
   <context-param>
<param-name>Owasp.CsrfGuard.Config</param-name>
<param-value>WEB-INF/Owasp.CsrfGuard.properties</param-value>
   </context-param>
   <context-param>
<param-name>Owasp.CsrfGuard.Config.Print</param-name>
<param-value>true</param-value>
   </context-param>
 
<filter>
<filter-name>CSRFGuard</filter-name>
<filter-class>org.owasp.csrfguard.CsrfGuardFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CSRFGuard</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>

<!-- For CSRF Ajax support-->
<servlet>
<servlet-name>JavaScriptServlet</servlet-name>
<servlet-class>org.owasp.csrfguard.servlet.JavaScriptServlet</servlet-class>
<init-param>
<param-name>source-file</param-name>
<param-value>WEB-INF/Owasp.CsrfGuard.js</param-value>
</init-param>
<init-param>
<param-name>inject-into-forms</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>inject-into-attributes</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>domain-strict</param-name>
<param-value>false</param-value>
</init-param>
<init-param>
<param-name>referer-pattern</param-name>
<param-value>.*localhost.*</param-value>
</init-param>
</servlet>

<servlet-mapping>
<servlet-name>JavaScriptServlet</servlet-name>
<url-pattern>/JavaScriptServlet</url-pattern>
</servlet-mapping>

Step 3

Add CSRF properties file to resources folder and configure parameters.
Reference : https://www.owasp.org/index.php/CSRFGuard_3_Configuration

 org.owasp.csrfguard.Logger=org.owasp.csrfguard.log.ConsoleLogger
 org.owasp.csrfguard.ProtoctedMethod=POST,PUT,DELETE
 org.owasp.csrfguard.TokenPerPage=true
 org.owasp.csrfguard.Rotate=false
 org.owasp.csrfguard.Ajax=true
 org.owasp.csrfguard.action.Log=org.owasp.csrfguard.action.Log
 org.owasp.csrfguard.Log.Message=potential cross-site request forgery attack thwarted(user %user%, ip %remote_ip%)
 org.owasp.csrfguard.Redirect=org.owasp.csrfguard.action.Redirect
 org.owasp.csrfguard.TokenName=OWASP_CSRFTOKEN
 org.owasp.csrfguard.SessionKey=OWASP_CSRFTOKEN
 org.owasp.csrfguard.TokenLength=32
 org.owasp.csrfguard.PRNG=SHA1PRNG
 org.owasp.csrfguard.Protect=true
 org.owasp.csrfguard.unprotected.index=/contectpath/error.jsp

Step 4

Add taglib and CSRF token for forms in jsp file.
Reference : https://www.owasp.org/index.php/CSRFGuard_3_Token_Injection

<%@ taglib uri="http://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project/Owasp.CsrfGuard.tld" prefix="csrf" %>

 <form name="test1" action="protect.html">
     <input type="text" name="text" value="text"/>
     <input type="submit" name="submit" value="submit"/>
     <input type="hidden" name="<csrf:token-name/>" value="<csrf:token-value/>"/>
</form>


Step 5

Add script in case of ajax call jsp file. In this case no need to add taglib and hidden token to form as using script.

<script src="/contextpath/JavaScriptServlet"></script>

 Reference 

 https://cwe.mitre.org/data/definitions/352.html
 https://www.owasp.org/index.php/CSRFGuard_3_User_Manual
Posted by at 6 comments:
Subscribe to: Posts (Atom)