Search code examples
securityspring-mvccsrfcsrf-protectionowasp

Web Security: Preventing CSRF attack

I am following this tutorial for an application based in spring framework 3.2.4

http://springdiaries.blogspot.be/2012/12/web-security-preventing-csrf-attack.html#comment-form

The point is that I've checked all the objects in the session and I haven't found any object with the Key OWASP_CSRFTOKEN, and that is susposius that in not working well ?

Solution

  • This is not exactly an answer to your question, which is unfortunately too vague to answer without a magical crystal ball ^^, but here are some things you should try:

    • Check out your request is not coming from an URL matching one of the the unprotected patterns defined in the Owasp.CsrfGuard.properties configuration file (These values are from the OWASP docs; you should have set up different ones):

    .

    org.owasp.csrfguard.unprotected.Tag=/Owasp.CsrfGuard.Test/tag.jsp
org.owasp.csrfguard.unprotected.JavaScriptServlet=/Owasp.CsrfGuard.Test/JavaScriptServlet
org.owasp.csrfguard.unprotected.Html=*.html
org.owasp.csrfguard.unprotected.Public=/MySite/Public/*

    • Check your web server / servlet container log for errors, both on startup / application load and upon receiving a client request.

    • Set breakpoints here and here and launch the application in debug mode to make sure your class is being loaded and the token is being requested.

    • Review one by one all the configuration parameters.

    • Read the project wiki and the docs carefully:

    You won't have to modify your DB schema in anyway. That's not how OWASP CRSF guard works (the generated tokens are stored in-session, not persisted in the database).

    It's also worth mention that you are following an outdated blog post: If you are using Spring you don't need to be using OWASP CSRF guard at all. You should be using spring-security authentication which has built in CSRF protection, which is much easier to set-up.

    Check out the tutorial on this page on how to set up HTML form + SQL database based authentication with CSRF protection (Also, don't miss out the bcrypt password hashing one; It is very easy to set up and at some point you'll be glad you are storing safe hashes instead of clear text passwords).

    You'll see you also won't have to modify the db at all to add CSRF protection using spring-security because the CSRF protection token is session-stored.

    The set up takes 5-15 minutes; 30 minutes tops for a Spring neophite. In a nutshell, the framework takes care of generating and validating the token and returning an authentication error on invalid requests.

    You just have to include the <csrf /> tag inside your spring-security.xml configuration file <http> tag.

    If you are using html form based authentication, you'll also have to include the following hidden input inside the form:

    <input type="hidden" name="${_csrf.parameterName}"
            value="${_csrf.token}" />