I'm trying to protect my application using OWASP CSRFGuard so I configured the web.xml in this way:
<!-- ********* FILTERS for Preventing CSRF ********* -->
<listener>
<listener-class>org.owasp.csrfguard.CsrfGuardServletContextListener</listener-class>
</listener>
<listener>
<listener-class>org.owasp.csrfguard.CsrfGuardHttpSessionListener</listener-class>
</listener>
<filter>
<filter-name>CSRFGuard</filter-name>
<filter-class>org.owasp.csrfguard.CsrfGuardFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CSRFGuard</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<servlet>
<servlet-name>JavaScriptServlet</servlet-name>
<servlet-class>org.owasp.csrfguard.servlet.JavaScriptServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>JavaScriptServlet</servlet-name>
<url-pattern>/JavaScriptServlet</url-pattern>
</servlet-mapping>
<!-- ********* FILTERS for Preventing CSRF ********* -->
and, on WEB-INF/classes I put the Owasp.CsrfGuard.properties
org.owasp.csrfguard.Logger=org.owasp.csrfguard.log.JavaLogger
org.owasp.csrfguard.configuration.provider.factory = org.owasp.csrfguard.config.overlay.ConfigurationAutodetectProviderFactory
org.owasp.csrfguard.Enabled = true
org.owasp.csrfguard.ValidateWhenNoSessionExists = false
org.owasp.csrfguard.NewTokenLandingPage=%servletContext%/login.htm?lang=en_US
org.owasp.csrfguard.ProtectedMethods=POST
org.owasp.csrfguard.TokenPerPage=true
org.owasp.csrfguard.TokenPerPagePrecreate=false
org.owasp.csrfguard.Ajax=true
#org.owasp.csrfguard.action.Empty=org.owasp.csrfguard.action.Empty
org.owasp.csrfguard.action.Log=org.owasp.csrfguard.action.Log
org.owasp.csrfguard.action.Log.Message=[dyna] potential cross-site request forgery (CSRF) attack thwarted (user:%user%, ip:%remote_ip%, method:%request_method%, uri:%request_uri%, error:%exception_message%)
#org.owasp.csrfguard.action.Invalidate=org.owasp.csrfguard.action.Invalidate
org.owasp.csrfguard.action.Redirect=org.owasp.csrfguard.action.Redirect
org.owasp.csrfguard.action.Redirect.Page=%servletContext%/error.htm
#org.owasp.csrfguard.action.RequestAttribute=org.owasp.csrfguard.action.RequestAttribute
#org.owasp.csrfguard.action.RequestAttribute.AttributeName=Owasp_CsrfGuard_Exception_Key
org.owasp.csrfguard.action.Rotate=org.owasp.csrfguard.action.Rotate
#org.owasp.csrfguard.action.SessionAttribute=org.owasp.csrfguard.action.SessionAttribute
#org.owasp.csrfguard.action.SessionAttribute.AttributeName=Owasp_CsrfGuard_Exception_Key
#org.owasp.csrfguard.action.Error=org.owasp.csrfguard.action.Error
#org.owasp.csrfguard.action.Error.Code=403
#org.owasp.csrfguard.action.Error.Message=Security violation.
org.owasp.csrfguard.TokenName=OWASP_CSRFTOKEN
org.owasp.csrfguard.SessionKey=OWASP_CSRFTOKEN
org.owasp.csrfguard.TokenLength=64
org.owasp.csrfguard.PRNG=SHA1PRNG
org.owasp.csrfguard.PRNG.Provider=SUN
org.owasp.csrfguard.Config.Print = true
###########################
## Javascript servlet settings if not set in web.xml
## https://www.owasp.org/index.php/CSRFGuard_3_Token_Injection
###########################
org.owasp.csrfguard.JavascriptServlet.sourceFile = script/csrfguard.js
org.owasp.csrfguard.JavascriptServlet.domainStrict = true
org.owasp.csrfguard.JavascriptServlet.cacheControl = private, maxage=28800
org.owasp.csrfguard.JavascriptServlet.refererPattern = .*
org.owasp.csrfguard.JavascriptServlet.refererMatchDomain = true
org.owasp.csrfguard.JavascriptServlet.injectIntoForms = true
org.owasp.csrfguard.JavascriptServlet.injectGetForms = true
org.owasp.csrfguard.JavascriptServlet.injectFormAttributes = true
org.owasp.csrfguard.JavascriptServlet.injectIntoAttributes = true
org.owasp.csrfguard.JavascriptServlet.xRequestedWith = OWASP CSRFGuard Project
org.owasp.csrfguard.configOverlay.hierarchy = classpath:Owasp.CsrfGuard.properties, classpath:Owasp.CsrfGuard.overlay.properties
org.owasp.csrfguard.configOverlay.secondsBetweenUpdateChecks = 60
After tomcat start, I can see this on the console:
INFO: Printing properties before Javascript servlet, note, the javascript properties might not be initialized yet:
*****************************************************
* Owasp.CsrfGuard Properties
*
* Logger: org.owasp.csrfguard.log.JavaLogger
* NewTokenLandingPage: /gdml/login.htm?lang=en_US
* PRNG: SHA1PRNG
* SessionKey: OWASP_CSRFTOKEN
* TokenLength: 64
* TokenName: OWASP_CSRFTOKEN
* Ajax: true
* Rotate: false
* Javascript cache control: null
* Javascript domain strict: false
* Javascript inject attributes: false
* Javascript inject forms: false
* Javascript referer pattern: null
* Javascript referer match domain: false
* Javascript source file: null
* Javascript X requested with: null
* Protected methods: HashSet size: 1: [0]: POST
* Protected pages size: 0
* Unprotected methods: Empty HashSet
* Unprotected pages size: 1
* TokenPerPage: true
* Enabled: true
* ValidateWhenNoSessionExists: false
* Action: org.owasp.csrfguard.action.Log
* Parameter: Message = [dyna] potential cross-site request forgery (CSRF) attack thwarted (user:%user%, ip:%remote_ip%, method:%request_method%, uri:%request_uri%, error:%exception_message%)
* Action: org.owasp.csrfguard.action.Redirect
* Parameter: Page = /gdml/error.htm
* Action: org.owasp.csrfguard.action.Rotate
*****************************************************
It seems it is using the default Javascript properties. I can change from Owasp.CsrfGuard.properties properties except for Javascript section. Maybe they are override later during the startup.
In any case, when I try to login, a JS is called but I always get a error:
WARNING: [dyna] potential cross-site request forgery (CSRF) attack thwarted (user:giandrea77, ip:10.211.55.2, method:POST, uri:/gdml/authenticate.htm, error:required token is missing from the request)
If I try to view the page source I cannot see the included JS (csrfguard.js). So, how can I be sure the JS are properly configured?
Andrea
In order to have token auto form POST via "NewTokenLandingPage" you need to assure there's no active session between your client and your server. So, cleanup all the cookies and try again.
Moreover, JavascriptServlet which provides "csrfguard.js" is another CSRF prevention mechanism.
Your attempt looks like the basic installation without ajax protection.
To provide Ajax protection the pages of your application should at least point to JavaScriptServlet as below:
<!-- OWASP CSRFGuard Ajax Support -->
<script src="/JavaScriptServlet"></script>
You can see more at CSRFGuard Configuration.