OWASP CSRFGuard：需要令牌從請求

Question

我試圖保護利用OWASP CSRFGuard我的應用程序丟失，所以我以這種方式配置的web.xml文件：

<!-- ********* FILTERS for Preventing CSRF ********* -->  
<listener> 
    <listener-class>org.owasp.csrfguard.CsrfGuardServletContextListener</listener-class> 
</listener> 
<listener> 
    <listener-class>org.owasp.csrfguard.CsrfGuardHttpSessionListener</listener-class> 
</listener> 

<filter> 
    <filter-name>CSRFGuard</filter-name> 
    <filter-class>org.owasp.csrfguard.CsrfGuardFilter</filter-class> 
</filter> 

<filter-mapping> 
    <filter-name>CSRFGuard</filter-name> 
    <url-pattern>/*</url-pattern> 
</filter-mapping> 

<servlet> 
    <servlet-name>JavaScriptServlet</servlet-name> 
    <servlet-class>org.owasp.csrfguard.servlet.JavaScriptServlet</servlet-class> 
</servlet> 

<servlet-mapping> 
    <servlet-name>JavaScriptServlet</servlet-name> 
    <url-pattern>/JavaScriptServlet</url-pattern> 
</servlet-mapping> 
<!-- ********* FILTERS for Preventing CSRF ********* --> 

，並在WEB-INF/classes目錄我把Owasp.CsrfGuard.properties

org.owasp.csrfguard.Logger=org.owasp.csrfguard.log.JavaLogger 
org.owasp.csrfguard.configuration.provider.factory = org.owasp.csrfguard.config.overlay.ConfigurationAutodetectProviderFactory 
org.owasp.csrfguard.Enabled = true 
org.owasp.csrfguard.ValidateWhenNoSessionExists = false 
org.owasp.csrfguard.NewTokenLandingPage=%servletContext%/login.htm?lang=en_US 
org.owasp.csrfguard.ProtectedMethods=POST 

org.owasp.csrfguard.TokenPerPage=true 
org.owasp.csrfguard.TokenPerPagePrecreate=false 

org.owasp.csrfguard.Ajax=true 

#org.owasp.csrfguard.action.Empty=org.owasp.csrfguard.action.Empty 
org.owasp.csrfguard.action.Log=org.owasp.csrfguard.action.Log 
org.owasp.csrfguard.action.Log.Message=[dyna] potential cross-site request forgery (CSRF) attack thwarted (user:%user%, ip:%remote_ip%, method:%request_method%, uri:%request_uri%, error:%exception_message%) 
#org.owasp.csrfguard.action.Invalidate=org.owasp.csrfguard.action.Invalidate 
org.owasp.csrfguard.action.Redirect=org.owasp.csrfguard.action.Redirect 
org.owasp.csrfguard.action.Redirect.Page=%servletContext%/error.htm 
#org.owasp.csrfguard.action.RequestAttribute=org.owasp.csrfguard.action.RequestAttribute 
#org.owasp.csrfguard.action.RequestAttribute.AttributeName=Owasp_CsrfGuard_Exception_Key 
org.owasp.csrfguard.action.Rotate=org.owasp.csrfguard.action.Rotate 
#org.owasp.csrfguard.action.SessionAttribute=org.owasp.csrfguard.action.SessionAttribute 
#org.owasp.csrfguard.action.SessionAttribute.AttributeName=Owasp_CsrfGuard_Exception_Key 
#org.owasp.csrfguard.action.Error=org.owasp.csrfguard.action.Error 
#org.owasp.csrfguard.action.Error.Code=403 
#org.owasp.csrfguard.action.Error.Message=Security violation. 

org.owasp.csrfguard.TokenName=OWASP_CSRFTOKEN 
org.owasp.csrfguard.SessionKey=OWASP_CSRFTOKEN 
org.owasp.csrfguard.TokenLength=64 
org.owasp.csrfguard.PRNG=SHA1PRNG 
org.owasp.csrfguard.PRNG.Provider=SUN 
org.owasp.csrfguard.Config.Print = true 

########################### 
## Javascript servlet settings if not set in web.xml 
## https://www.owasp.org/index.php/CSRFGuard_3_Token_Injection 
########################### 
org.owasp.csrfguard.JavascriptServlet.sourceFile = script/csrfguard.js 
org.owasp.csrfguard.JavascriptServlet.domainStrict = true 
org.owasp.csrfguard.JavascriptServlet.cacheControl = private, maxage=28800 
org.owasp.csrfguard.JavascriptServlet.refererPattern = .* 
org.owasp.csrfguard.JavascriptServlet.refererMatchDomain = true 
org.owasp.csrfguard.JavascriptServlet.injectIntoForms = true 
org.owasp.csrfguard.JavascriptServlet.injectGetForms = true 
org.owasp.csrfguard.JavascriptServlet.injectFormAttributes = true 
org.owasp.csrfguard.JavascriptServlet.injectIntoAttributes = true 


org.owasp.csrfguard.JavascriptServlet.xRequestedWith = OWASP CSRFGuard Project 


org.owasp.csrfguard.configOverlay.hierarchy = classpath:Owasp.CsrfGuard.properties, classpath:Owasp.CsrfGuard.overlay.properties 
org.owasp.csrfguard.configOverlay.secondsBetweenUpdateChecks = 60 

的Tomcat啓動後，我可以看到這個在控制檯上：

INFO: Printing properties before Javascript servlet, note, the javascript properties might not be initialized yet: 
***************************************************** 
* Owasp.CsrfGuard Properties 
* 
* Logger: org.owasp.csrfguard.log.JavaLogger 
* NewTokenLandingPage: /gdml/login.htm?lang=en_US 
* PRNG: SHA1PRNG 
* SessionKey: OWASP_CSRFTOKEN 
* TokenLength: 64 
* TokenName: OWASP_CSRFTOKEN 
* Ajax: true 
* Rotate: false 
* Javascript cache control: null 
* Javascript domain strict: false 
* Javascript inject attributes: false 
* Javascript inject forms: false 
* Javascript referer pattern: null 
* Javascript referer match domain: false 
* Javascript source file: null 
* Javascript X requested with: null 
* Protected methods: HashSet size: 1: [0]: POST 

* Protected pages size: 0 
* Unprotected methods: Empty HashSet 
* Unprotected pages size: 1 
* TokenPerPage: true 
* Enabled: true 
* ValidateWhenNoSessionExists: false 
* Action: org.owasp.csrfguard.action.Log 
* Parameter: Message = [dyna] potential cross-site request forgery (CSRF) attack thwarted (user:%user%, ip:%remote_ip%, method:%request_method%, uri:%request_uri%, error:%exception_message%) 
* Action: org.owasp.csrfguard.action.Redirect 
* Parameter: Page = /gdml/error.htm 
* Action: org.owasp.csrfguard.action.Rotate 
***************************************************** 

它似乎是使用默認的Javascript屬性。我可以從Owasp.CsrfGuard.properties屬性（除Javascript部分）更改。也許他們在啓動期間後來被覆蓋。

在任何情況下，當我嘗試登錄，一個JS調用，但我總是得到一個錯誤：

WARNING: [dyna] potential cross-site request forgery (CSRF) attack thwarted (user:giandrea77, ip:10.211.55.2, method:POST, uri:/gdml/authenticate.htm, error:required token is missing from the request) 

如果我嘗試查看網頁源代碼，我不能看到包括JS（csrfguard.js ）。那麼，我怎麼才能確定JS已經正確配置？

安德烈

Answer 1

爲了通過「NewTokenLandingPage」你需要保證有你的客戶端和服務器之間沒有活動會話有令牌自動錶單POST。所以，清理所有的cookies並重試。

此外，提供「csrfguard.js」的JavascriptServlet是另一種CSRF防範機制。

您的嘗試看起來像沒有ajax保護的basic installation。

提供保護的Ajax應用程序的頁面至少應該點JavaScriptServlet如下：

<!-- OWASP CSRFGuard Ajax Support --> 
<script src="/JavaScriptServlet"></script> 

您可以在CSRFGuard Configuration看到更多。