October 25, 2018

CSRFGuard by OWASP

What is Cross-Site Request Forgery, CSRF?

In previous OWASP Web Top Ten CSRF has always been around, but not in 2017. https://www.owasp.org/index.php/Category:OWASP_Top_Ten_2017_Project. And the reason for that is partly CSRF is now starting to be built in the web framework, but also other vulnerabilities gets more attention, due to technique shift.

On OWASP Cheat Sheet you can read more about CSRF https://www.owasp.org/index.php/OWASP_Cheat_Sheet_Series.

How to Use OWASP CSRFGuard

Maven dependency:


<dependency>
 <groupId>org.owasp</groupId>
 <artifactId>csrfguard</artifactId>
 <version>3.1.0</version>
</dependency>

Activate in web.xml


<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"
 version="3.1">

 <listener>
  <listener-class>org.owasp.csrfguard.CsrfGuardServletContextListener</listener-class>
 </listener>
 <listener>
  <listener-class>org.owasp.csrfguard.CsrfGuardHttpSessionListener</listener-class>
 </listener>

 <filter>
  <filter-name>CsrfGuardFilter</filter-name>
  <filter-class>org.owasp.csrfguard.CsrfGuardFilter</filter-class>
 </filter>
 <filter-mapping>
  <filter-name>CsrfGuardFilter</filter-name>
  <url-pattern>/*</url-pattern>
 </filter-mapping>

 <servlet>
  <servlet-name>JavaScriptServlet</servlet-name>
  <servlet-class>org.owasp.csrfguard.servlet.JavaScriptServlet</servlet-class>
 </servlet>
 <servlet-mapping>
  <servlet-name>JavaScriptServlet</servlet-name>
  <url-pattern>/JavaScriptServlet</url-pattern>
 </servlet-mapping>

</web-app>

If you only are rendering your web pages on the server, you can remove JavaScriptServlet.

Configure: Add Owasp.CsrfGuard.properties to your classpath, see https://github.com/aramrami/OWASP-CSRFGuard/blob/9e26fc1b0f992b7eb70357e17690497ee48e2440/csrfguard-test/src/main/webapp/WEB-INF/classes/Owasp.CsrfGuard.properties.

How to use it: Examples from https://github.com/aramrami/OWASP-CSRFGuard/tree/9e26fc1b0f992b7eb70357e17690497ee48e2440/csrfguard-test/src/main/webapp

Exaple HTML


<form id="formTest1" name="formTest1" action="protect.html">
 <input type="text" name="text" value="text"/>
 <input type="submit" name="submit" value="submit"/>
 <input type="hidden" name="<csrf:tokenname/>" value="<csrf:tokenvalue uri="protect.html"/>"/>
</form>

Example JSP


<csrf:form id="formTest2" name="formTest2" action="protect.html">
 <input type="text" name="text" value="text"/>
 <input type="submit" name="submit" value="submit"/>
</csrf:form>

Read more https://github.com/aramrami/OWASP-CSRFGuard/tree/9e26fc1b0f992b7eb70357e17690497ee48e2440

And https://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project#tab=Main

at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)