CSRFGuard - 请求令牌与页面令牌不匹配如何为每个会话生成令牌 [英] CSRFGuard - request token does not match page token & How can generate token per session
问题描述
我正在尝试合并 CSRFGuard 库(< org.owasp csrfguard 3.1.0 >)以纠正应用程序中的一些 CSRF 漏洞.但是在按指定配置
在这里我想解释一下当我收到这条消息时的场景 - 假设我的应用程序登陆页面是这样的
这个页面的代码片段(HelloWorld.jsp)是
<%@ page language="java" contentType="text/html; charset=ISO-8859-1"pageEncoding="ISO-8859-1"%><%@ taglib uri="csrfguard.tld" prefix="csrf" %><!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"><头><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>在此处插入标题</title><脚本>函数 getParameterByName(name, url) {如果(!网址){url = window.location.href;}name = name.replace(/[\[\]]/g, "\\$&");var regex = new RegExp("[?&]" + name + "(=([^&#]*)|&|#|$)"),结果 = regex.exec(url);如果(!结果)返回空;如果 (!results[2]) 返回 '';返回 decodeURIComponent(results[2].replace(/\+/g, " "));}函数 changePage(form){var selectedIndex = form.selectedPage.selectedIndex;var selectedValue = form.selectedPage.options[selectedIndex].value;var csrftoken = getParameterByName("OWASP_CSRFTOKEN", form.action);如果(selectedValue == 'A'){form.action = "A.html?OWASP_CSRFTOKEN="+csrftoken;}如果(selectedValue == 'LA'){form.action = "helloWorld.do?OWASP_CSRFTOKEN="+csrftoken;}表单提交();};头部><身体><h3>从此下拉列表中选择请求页面</h3><form name="test" method="post" action="" id="LAP"><select name="selectedPage" class="pageSelection" ><option value="LA" selected>着陆页</option><option value="A">A页</option></选择><input type="button" name="adding" value="Go" onClick="changePage(this.form);"/><!--<input type="submit" name="adding" value="submit"/>--></表单><script src="JavaScriptServlet"></script></html>
现在我正在尝试使用登录页面的下拉选择导航到页面 A.html.该页面看起来是
现在我注意到新令牌没有生成到A.html的form标签的action属性 页面.相同的标记(如果我们看到 OWASP_CSRFTOKEN=KJZ7-7YXP-DWN5-5NVX-5PB7-TNXG-YLAJ-D2XJ)登陆页面上的任何内容都将附加到 A.html 页面的 form 标签的 >action 属性.A.html页面的代码片段是
<头><meta charset="ISO-8859-1"><title>一页</title><脚本>函数 getParameterByName(name, url) {如果(!网址){url = window.location.href;}name = name.replace(/[\[\]]/g, "\\$&");var regex = new RegExp("[?&]" + name + "(=([^&#]*)|&|#|$)"),结果 = regex.exec(url);如果(!结果)返回空;如果 (!results[2]) 返回 '';返回 decodeURIComponent(results[2].replace(/\+/g, " "));}函数 changePage(form){var selectedIndex = form.selectedPage.selectedIndex;var selectedValue = form.selectedPage.options[selectedIndex].value;var csrftoken = getParameterByName("OWASP_CSRFTOKEN", form.action);如果(selectedValue == 'A'){form.action = "A.html?OWASP_CSRFTOKEN="+csrftoken;}如果(selectedValue == 'LA'){form.action = "helloWorld.do?OWASP_CSRFTOKEN="+csrftoken;}表单提交();};头部><身体><h1>一页</h1><h3>从此下拉列表中选择请求页面</h3><form name="test" method="post" action="" id="LAP"><select name="selectedPage" class="pageSelection" ><option value="LA">着陆页</option><option value="A" selected>A页</option></选择><input type="button" name="adding" value="Go" onClick="changePage(this.form);"/></表单><script src="JavaScriptServlet"></script></html>
现在我将使用选择下拉菜单从 A.html 页面转到 登陆页面再次尝试使用登录页面的下拉选择来访问 A.html 页面,然后我在 tomcat 服务器控制台上收到此错误消息
<块引用>"警告:潜在的跨站请求伪造 (CSRF) 攻击受阻(用户:,ip:0:0:0:0:0:0:0:1,方法:POST,uri:/csrfguard-test-3.1.0-SNAPSHOT/A.html,错误:请求令牌与页面令牌不匹配)"
在这里我无法理解我在这里做错了什么.
请帮助我,因为在我的实际应用中实现它非常重要 &请让我知道是否有任何其他信息可以使其更容易理解.提前致谢.
我添加的其他配置细节如下.它是我的 web.xml 文件
<?xml version="1.0" encoding="UTF-8"?><web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" id="WebApp_ID" version="2.5"><display-name>OWASP CSRFGuard 测试</display-name><欢迎文件列表><welcome-file>index.html</welcome-file><welcome-file>index.htm</welcome-file><welcome-file>index.jsp</welcome-file><welcome-file>default.html</welcome-file><welcome-file>default.htm</welcome-file><welcome-file>default.jsp</welcome-file></welcome-file-list><监听器><listener-class>org.owasp.csrfguard.CsrfGuardServletContextListener</listener-class></监听器><监听器><listener-class>org.owasp.csrfguard.CsrfGuardHttpSessionListener</listener-class></监听器><过滤器><filter-name>CSRFGuard</filter-name><filter-class>org.owasp.csrfguard.CsrfGuardFilter</filter-class></过滤器><过滤器映射><filter-name>CSRFGuard</filter-name><url-pattern>/*</url-pattern></过滤器映射><小服务程序><servlet-name>JavaScriptServlet</servlet-name><servlet-class>org.owasp.csrfguard.servlet.JavaScriptServlet</servlet-class><init-param><param-name>inject-into-attributes</param-name><param-value>true</param-value></init-param><!--<init-param><param-name>inject-into-forms</param-name><param-value>true</param-value></init-param>--><init-param><param-name>源文件</param-name><param-value>/script/csrfguard.js</param-value></init-param><servlet-mapping><servlet-name>JavaScriptServlet</servlet-name><url-pattern>/JavaScriptServlet</url-pattern></servlet-mapping><小服务程序><描述></描述><display-name>HelloServlet</display-name><servlet-name>HelloServlet</servlet-name><servlet-class>org.owasp.csrfguard.test.HelloServlet</servlet-class><servlet-mapping><servlet-name>HelloServlet</servlet-name><url-pattern>/HelloServlet</url-pattern></servlet-mapping><小服务程序><servlet-name>动作</servlet-name><servlet-class>org.apache.struts.action.ActionServlet</servlet-class><init-param><param-name>config</param-name><参数值>/WEB-INF/struts-config.xml</参数值></init-param><启动时加载>1</启动时加载><servlet-mapping><servlet-name>动作</servlet-name><url-pattern>*.do</url-pattern></servlet-mapping></web-app>
这是我的 pom.xml
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd"><modelVersion>4.0.0</modelVersion><groupId>com</groupId><artifactId>csrfgaurdapp</artifactId><包装>战争</包装><version>0.0.1-SNAPSHOT</version><name>csrfgaurdapp Maven Webapp</name><url>http://maven.apache.org</url><依赖项><依赖><groupId>junit</groupId><artifactId>junit</artifactId><version>3.8.1</version><范围>测试</范围></依赖><依赖><groupId>javax.servlet</groupId><artifactId>servlet-api</artifactId><version>2.5</version></依赖><依赖><groupId>javax.servlet.jsp</groupId><artifactId>jsp-api</artifactId><version>2.1</version></依赖><依赖><groupId>org.owasp</groupId><artifactId>csrfguard</artifactId><version>3.1.0</version></依赖><依赖><groupId>org.apache.struts</groupId><artifactId>struts-core</artifactId><version>1.3.10</version></依赖><依赖><groupId>org.apache.struts</groupId><artifactId>struts-taglib</artifactId><version>1.3.10</version></依赖></依赖项><构建><finalName>csrfgaurdapp</finalName></build></project>
在 Owasp.CsrfGuard.properties 中,设置 org.owasp.csrfguard.TokenPerPage = false
原因:
每页属性的唯一令牌的使用目前是实验性的,但提供了大量改进的安全性.考虑使用传统的每会话唯一模型暴露 CSRF 令牌.
I am trying to incorporate the CSRFGuard library(< org.owasp csrfguard 3.1.0 >) in order to rectify some CSRF vulnerabilities in an application. However after configuring as specified here I am now getting the below message:
Here I would like to explain scenario when I am getting this message - For suppose my application landing page like this
And code snippet for this page(HelloWorld.jsp) is
<%@ page language="java" contentType="text/html; charset=ISO-8859-1"
pageEncoding="ISO-8859-1"%>
<%@ taglib uri="csrfguard.tld" prefix="csrf" %>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Insert title here</title>
<script>
function getParameterByName(name, url) {
if (!url) {
url = window.location.href;
}
name = name.replace(/[\[\]]/g, "\\$&");
var regex = new RegExp("[?&]" + name + "(=([^&#]*)|&|#|$)"),
results = regex.exec(url);
if (!results) return null;
if (!results[2]) return '';
return decodeURIComponent(results[2].replace(/\+/g, " "));
}
function changePage(form){
var selectedIndex = form.selectedPage.selectedIndex;
var selectedValue = form.selectedPage.options[selectedIndex].value;
var csrftoken = getParameterByName("OWASP_CSRFTOKEN", form.action);
if (selectedValue == 'A') {
form.action = "A.html?OWASP_CSRFTOKEN="+csrftoken;
}
if (selectedValue == 'LA') {
form.action = "helloWorld.do?OWASP_CSRFTOKEN="+csrftoken;
}
form.submit();
};
</script>
</head>
<body>
<h3>Select request page from this dropdown</h3>
<form name="test" method="post" action="" id="LAP">
<select name="selectedPage" class="pageSelection" >
<option value="LA" selected>Landing Page</option>
<option value="A">A page</option>
</select>
<input type="button" name="adding" value="Go" onClick="changePage(this.form);"/>
<!--<input type="submit" name="adding" value="submit"/>-->
</form>
</body>
<script src="JavaScriptServlet"></script>
</html>
And now I am trying to navigate to page A.html using dropdown selection of landing page. The page looks to be
Now here what I have notice is new token is not getting generate to action attribute of form tag of A.html page. The Same token(If we see OWASP_CSRFTOKEN=KJZ7-7YXP-DWN5-5NVX-5PB7-TNXG-YLAJ-D2XJ) whatever has on landing page is getting attach to action attribute of form tag of A.html page. The code snippet of A.html page is
<!DOCTYPE html>
<html>
<head>
<meta charset="ISO-8859-1">
<title>A page</title>
<script>
function getParameterByName(name, url) {
if (!url) {
url = window.location.href;
}
name = name.replace(/[\[\]]/g, "\\$&");
var regex = new RegExp("[?&]" + name + "(=([^&#]*)|&|#|$)"),
results = regex.exec(url);
if (!results) return null;
if (!results[2]) return '';
return decodeURIComponent(results[2].replace(/\+/g, " "));
}
function changePage(form){
var selectedIndex = form.selectedPage.selectedIndex;
var selectedValue = form.selectedPage.options[selectedIndex].value;
var csrftoken = getParameterByName("OWASP_CSRFTOKEN", form.action);
if (selectedValue == 'A') {
form.action = "A.html?OWASP_CSRFTOKEN="+csrftoken;
}
if (selectedValue == 'LA') {
form.action = "helloWorld.do?OWASP_CSRFTOKEN="+csrftoken;
}
form.submit();
};
</script>
</head>
<body>
<h1>A Page</h1>
<h3>Select request page from this dropdown</h3>
<form name="test" method="post" action="" id="LAP">
<select name="selectedPage" class="pageSelection" >
<option value="LA">Landing Page</option>
<option value="A" selected>A page</option>
</select>
<input type="button" name="adding" value="Go" onClick="changePage(this.form);"/>
</form>
</body>
<script src="JavaScriptServlet"></script>
</html>
Now I am going to landing page from A.html page by using selection dropdown & again try to reach out A.html page by using dropdown selection of landing page then I am getting this error message on tomcat server console
"WARNING: potential cross-site request forgery (CSRF) attack thwarted (user:, ip:0:0:0:0:0:0:0:1, method:POST, uri:/csrfguard-test-3.1.0-SNAPSHOT/A.html, error:request token does not match page token)"
Here I am unable to understand what I'm doing wrong here.
Please help me as its very important to implement in my actual application & please let me know if any additional information would make it easier to understand. Thanks in advance.
Few other configuration details I am adding as below. Its my web.xml file
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" id="WebApp_ID" version="2.5">
<display-name>OWASP CSRFGuard Test</display-name>
<welcome-file-list>
<welcome-file>index.html</welcome-file>
<welcome-file>index.htm</welcome-file>
<welcome-file>index.jsp</welcome-file>
<welcome-file>default.html</welcome-file>
<welcome-file>default.htm</welcome-file>
<welcome-file>default.jsp</welcome-file>
</welcome-file-list>
<listener>
<listener-class>org.owasp.csrfguard.CsrfGuardServletContextListener</listener-class>
</listener>
<listener>
<listener-class>org.owasp.csrfguard.CsrfGuardHttpSessionListener</listener-class>
</listener>
<filter>
<filter-name>CSRFGuard</filter-name>
<filter-class>org.owasp.csrfguard.CsrfGuardFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CSRFGuard</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<servlet>
<servlet-name>JavaScriptServlet</servlet-name>
<servlet-class>org.owasp.csrfguard.servlet.JavaScriptServlet</servlet-class>
<init-param>
<param-name>inject-into-attributes</param-name>
<param-value>true</param-value>
</init-param>
<!--<init-param>
<param-name>inject-into-forms</param-name>
<param-value>true</param-value>
</init-param>-->
<init-param>
<param-name>source-file</param-name>
<param-value>/script/csrfguard.js</param-value>
</init-param>
</servlet>
<servlet-mapping>
<servlet-name>JavaScriptServlet</servlet-name>
<url-pattern>/JavaScriptServlet</url-pattern>
</servlet-mapping>
<servlet>
<description></description>
<display-name>HelloServlet</display-name>
<servlet-name>HelloServlet</servlet-name>
<servlet-class>org.owasp.csrfguard.test.HelloServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>HelloServlet</servlet-name>
<url-pattern>/HelloServlet</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>action</servlet-name>
<servlet-class>
org.apache.struts.action.ActionServlet
</servlet-class>
<init-param>
<param-name>config</param-name>
<param-value>
/WEB-INF/struts-config.xml
</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>action</servlet-name>
<url-pattern>*.do</url-pattern>
</servlet-mapping>
</web-app>
And its my pom.xml
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>com</groupId>
<artifactId>csrfgaurdapp</artifactId>
<packaging>war</packaging>
<version>0.0.1-SNAPSHOT</version>
<name>csrfgaurdapp Maven Webapp</name>
<url>http://maven.apache.org</url>
<dependencies>
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
<version>3.8.1</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>servlet-api</artifactId>
<version>2.5</version>
</dependency>
<dependency>
<groupId>javax.servlet.jsp</groupId>
<artifactId>jsp-api</artifactId>
<version>2.1</version>
</dependency>
<dependency>
<groupId>org.owasp</groupId>
<artifactId>csrfguard</artifactId>
<version>3.1.0</version>
</dependency>
<dependency>
<groupId>org.apache.struts</groupId>
<artifactId>struts-core</artifactId>
<version>1.3.10</version>
</dependency>
<dependency>
<groupId>org.apache.struts</groupId>
<artifactId>struts-taglib</artifactId>
<version>1.3.10</version>
</dependency>
</dependencies>
<build>
<finalName>csrfgaurdapp</finalName>
</build>
</project>
In Owasp.CsrfGuard.properties, set org.owasp.csrfguard.TokenPerPage = false
Reason:
Use of the unique token per page property is currently EXPERIMENTAL, but provides a significant amount of improved security. Consider the exposure of a CSRF token using the legacy unique per-session model.
这篇关于CSRFGuard - 请求令牌与页面令牌不匹配如何为每个会话生成令牌的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!