OWASP CSRFGuard:请求中缺少所需的令牌
OWASP CSRFGuard: required token is missing from the request
我正在尝试使用 OWASP CSRFGuard 保护我的应用程序,所以我以这种方式配置了 web.xml:
<!-- ********* FILTERS for Preventing CSRF ********* -->
<listener>
<listener-class>org.owasp.csrfguard.CsrfGuardServletContextListener</listener-class>
</listener>
<listener>
<listener-class>org.owasp.csrfguard.CsrfGuardHttpSessionListener</listener-class>
</listener>
<filter>
<filter-name>CSRFGuard</filter-name>
<filter-class>org.owasp.csrfguard.CsrfGuardFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CSRFGuard</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<servlet>
<servlet-name>JavaScriptServlet</servlet-name>
<servlet-class>org.owasp.csrfguard.servlet.JavaScriptServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>JavaScriptServlet</servlet-name>
<url-pattern>/JavaScriptServlet</url-pattern>
</servlet-mapping>
<!-- ********* FILTERS for Preventing CSRF ********* -->
然后,在 WEB-INF/classes 上,我将 Owasp.CsrfGuard.properties
org.owasp.csrfguard.Logger=org.owasp.csrfguard.log.JavaLogger
org.owasp.csrfguard.configuration.provider.factory = org.owasp.csrfguard.config.overlay.ConfigurationAutodetectProviderFactory
org.owasp.csrfguard.Enabled = true
org.owasp.csrfguard.ValidateWhenNoSessionExists = false
org.owasp.csrfguard.NewTokenLandingPage=%servletContext%/login.htm?lang=en_US
org.owasp.csrfguard.ProtectedMethods=POST
org.owasp.csrfguard.TokenPerPage=true
org.owasp.csrfguard.TokenPerPagePrecreate=false
org.owasp.csrfguard.Ajax=true
#org.owasp.csrfguard.action.Empty=org.owasp.csrfguard.action.Empty
org.owasp.csrfguard.action.Log=org.owasp.csrfguard.action.Log
org.owasp.csrfguard.action.Log.Message=[dyna] potential cross-site request forgery (CSRF) attack thwarted (user:%user%, ip:%remote_ip%, method:%request_method%, uri:%request_uri%, error:%exception_message%)
#org.owasp.csrfguard.action.Invalidate=org.owasp.csrfguard.action.Invalidate
org.owasp.csrfguard.action.Redirect=org.owasp.csrfguard.action.Redirect
org.owasp.csrfguard.action.Redirect.Page=%servletContext%/error.htm
#org.owasp.csrfguard.action.RequestAttribute=org.owasp.csrfguard.action.RequestAttribute
#org.owasp.csrfguard.action.RequestAttribute.AttributeName=Owasp_CsrfGuard_Exception_Key
org.owasp.csrfguard.action.Rotate=org.owasp.csrfguard.action.Rotate
#org.owasp.csrfguard.action.SessionAttribute=org.owasp.csrfguard.action.SessionAttribute
#org.owasp.csrfguard.action.SessionAttribute.AttributeName=Owasp_CsrfGuard_Exception_Key
#org.owasp.csrfguard.action.Error=org.owasp.csrfguard.action.Error
#org.owasp.csrfguard.action.Error.Code=403
#org.owasp.csrfguard.action.Error.Message=Security violation.
org.owasp.csrfguard.TokenName=OWASP_CSRFTOKEN
org.owasp.csrfguard.SessionKey=OWASP_CSRFTOKEN
org.owasp.csrfguard.TokenLength=64
org.owasp.csrfguard.PRNG=SHA1PRNG
org.owasp.csrfguard.PRNG.Provider=SUN
org.owasp.csrfguard.Config.Print = true
###########################
## Javascript servlet settings if not set in web.xml
## https://www.owasp.org/index.php/CSRFGuard_3_Token_Injection
###########################
org.owasp.csrfguard.JavascriptServlet.sourceFile = script/csrfguard.js
org.owasp.csrfguard.JavascriptServlet.domainStrict = true
org.owasp.csrfguard.JavascriptServlet.cacheControl = private, maxage=28800
org.owasp.csrfguard.JavascriptServlet.refererPattern = .*
org.owasp.csrfguard.JavascriptServlet.refererMatchDomain = true
org.owasp.csrfguard.JavascriptServlet.injectIntoForms = true
org.owasp.csrfguard.JavascriptServlet.injectGetForms = true
org.owasp.csrfguard.JavascriptServlet.injectFormAttributes = true
org.owasp.csrfguard.JavascriptServlet.injectIntoAttributes = true
org.owasp.csrfguard.JavascriptServlet.xRequestedWith = OWASP CSRFGuard Project
org.owasp.csrfguard.configOverlay.hierarchy = classpath:Owasp.CsrfGuard.properties, classpath:Owasp.CsrfGuard.overlay.properties
org.owasp.csrfguard.configOverlay.secondsBetweenUpdateChecks = 60
tomcat 启动后,我可以在控制台上看到:
INFO: Printing properties before Javascript servlet, note, the javascript properties might not be initialized yet:
*****************************************************
* Owasp.CsrfGuard Properties
*
* Logger: org.owasp.csrfguard.log.JavaLogger
* NewTokenLandingPage: /gdml/login.htm?lang=en_US
* PRNG: SHA1PRNG
* SessionKey: OWASP_CSRFTOKEN
* TokenLength: 64
* TokenName: OWASP_CSRFTOKEN
* Ajax: true
* Rotate: false
* Javascript cache control: null
* Javascript domain strict: false
* Javascript inject attributes: false
* Javascript inject forms: false
* Javascript referer pattern: null
* Javascript referer match domain: false
* Javascript source file: null
* Javascript X requested with: null
* Protected methods: HashSet size: 1: [0]: POST
* Protected pages size: 0
* Unprotected methods: Empty HashSet
* Unprotected pages size: 1
* TokenPerPage: true
* Enabled: true
* ValidateWhenNoSessionExists: false
* Action: org.owasp.csrfguard.action.Log
* Parameter: Message = [dyna] potential cross-site request forgery (CSRF) attack thwarted (user:%user%, ip:%remote_ip%, method:%request_method%, uri:%request_uri%, error:%exception_message%)
* Action: org.owasp.csrfguard.action.Redirect
* Parameter: Page = /gdml/error.htm
* Action: org.owasp.csrfguard.action.Rotate
*****************************************************
它似乎正在使用默认的 Javascript 属性。除了 Javascript 部分,我可以更改 Owasp.CsrfGuard.properties 属性。也许它们在启动期间稍后会被覆盖。
无论如何,当我尝试登录时,调用了一个 JS,但我总是得到一个错误:
WARNING: [dyna] potential cross-site request forgery (CSRF) attack thwarted (user:giandrea77, ip:10.211.55.2, method:POST, uri:/gdml/authenticate.htm, error:required token is missing from the request)
如果我尝试查看页面源代码,我看不到包含的 JS (csrfguard.js)。那么,如何确定 JS 配置正确?
安德里亚
为了通过 "NewTokenLandingPage" 使令牌自动形成 POST,您需要确保您的客户端和服务器之间没有活动会话。所以,清理所有的cookies再试一次。
此外,提供"csrfguard.js"的JavascriptServlet是另一种CSRF防御机制
您的尝试看起来像 basic installation 没有 ajax 保护。
要提供 Ajax 保护,您的应用程序页面应至少指向 JavaScriptServlet,如下所示:
<!-- OWASP CSRFGuard Ajax Support -->
<script src="/JavaScriptServlet"></script>
您可以在 CSRFGuard Configuration 查看更多内容。
我正在尝试使用 OWASP CSRFGuard 保护我的应用程序,所以我以这种方式配置了 web.xml:
<!-- ********* FILTERS for Preventing CSRF ********* -->
<listener>
<listener-class>org.owasp.csrfguard.CsrfGuardServletContextListener</listener-class>
</listener>
<listener>
<listener-class>org.owasp.csrfguard.CsrfGuardHttpSessionListener</listener-class>
</listener>
<filter>
<filter-name>CSRFGuard</filter-name>
<filter-class>org.owasp.csrfguard.CsrfGuardFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CSRFGuard</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<servlet>
<servlet-name>JavaScriptServlet</servlet-name>
<servlet-class>org.owasp.csrfguard.servlet.JavaScriptServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>JavaScriptServlet</servlet-name>
<url-pattern>/JavaScriptServlet</url-pattern>
</servlet-mapping>
<!-- ********* FILTERS for Preventing CSRF ********* -->
然后,在 WEB-INF/classes 上,我将 Owasp.CsrfGuard.properties
org.owasp.csrfguard.Logger=org.owasp.csrfguard.log.JavaLogger
org.owasp.csrfguard.configuration.provider.factory = org.owasp.csrfguard.config.overlay.ConfigurationAutodetectProviderFactory
org.owasp.csrfguard.Enabled = true
org.owasp.csrfguard.ValidateWhenNoSessionExists = false
org.owasp.csrfguard.NewTokenLandingPage=%servletContext%/login.htm?lang=en_US
org.owasp.csrfguard.ProtectedMethods=POST
org.owasp.csrfguard.TokenPerPage=true
org.owasp.csrfguard.TokenPerPagePrecreate=false
org.owasp.csrfguard.Ajax=true
#org.owasp.csrfguard.action.Empty=org.owasp.csrfguard.action.Empty
org.owasp.csrfguard.action.Log=org.owasp.csrfguard.action.Log
org.owasp.csrfguard.action.Log.Message=[dyna] potential cross-site request forgery (CSRF) attack thwarted (user:%user%, ip:%remote_ip%, method:%request_method%, uri:%request_uri%, error:%exception_message%)
#org.owasp.csrfguard.action.Invalidate=org.owasp.csrfguard.action.Invalidate
org.owasp.csrfguard.action.Redirect=org.owasp.csrfguard.action.Redirect
org.owasp.csrfguard.action.Redirect.Page=%servletContext%/error.htm
#org.owasp.csrfguard.action.RequestAttribute=org.owasp.csrfguard.action.RequestAttribute
#org.owasp.csrfguard.action.RequestAttribute.AttributeName=Owasp_CsrfGuard_Exception_Key
org.owasp.csrfguard.action.Rotate=org.owasp.csrfguard.action.Rotate
#org.owasp.csrfguard.action.SessionAttribute=org.owasp.csrfguard.action.SessionAttribute
#org.owasp.csrfguard.action.SessionAttribute.AttributeName=Owasp_CsrfGuard_Exception_Key
#org.owasp.csrfguard.action.Error=org.owasp.csrfguard.action.Error
#org.owasp.csrfguard.action.Error.Code=403
#org.owasp.csrfguard.action.Error.Message=Security violation.
org.owasp.csrfguard.TokenName=OWASP_CSRFTOKEN
org.owasp.csrfguard.SessionKey=OWASP_CSRFTOKEN
org.owasp.csrfguard.TokenLength=64
org.owasp.csrfguard.PRNG=SHA1PRNG
org.owasp.csrfguard.PRNG.Provider=SUN
org.owasp.csrfguard.Config.Print = true
###########################
## Javascript servlet settings if not set in web.xml
## https://www.owasp.org/index.php/CSRFGuard_3_Token_Injection
###########################
org.owasp.csrfguard.JavascriptServlet.sourceFile = script/csrfguard.js
org.owasp.csrfguard.JavascriptServlet.domainStrict = true
org.owasp.csrfguard.JavascriptServlet.cacheControl = private, maxage=28800
org.owasp.csrfguard.JavascriptServlet.refererPattern = .*
org.owasp.csrfguard.JavascriptServlet.refererMatchDomain = true
org.owasp.csrfguard.JavascriptServlet.injectIntoForms = true
org.owasp.csrfguard.JavascriptServlet.injectGetForms = true
org.owasp.csrfguard.JavascriptServlet.injectFormAttributes = true
org.owasp.csrfguard.JavascriptServlet.injectIntoAttributes = true
org.owasp.csrfguard.JavascriptServlet.xRequestedWith = OWASP CSRFGuard Project
org.owasp.csrfguard.configOverlay.hierarchy = classpath:Owasp.CsrfGuard.properties, classpath:Owasp.CsrfGuard.overlay.properties
org.owasp.csrfguard.configOverlay.secondsBetweenUpdateChecks = 60
tomcat 启动后,我可以在控制台上看到:
INFO: Printing properties before Javascript servlet, note, the javascript properties might not be initialized yet:
*****************************************************
* Owasp.CsrfGuard Properties
*
* Logger: org.owasp.csrfguard.log.JavaLogger
* NewTokenLandingPage: /gdml/login.htm?lang=en_US
* PRNG: SHA1PRNG
* SessionKey: OWASP_CSRFTOKEN
* TokenLength: 64
* TokenName: OWASP_CSRFTOKEN
* Ajax: true
* Rotate: false
* Javascript cache control: null
* Javascript domain strict: false
* Javascript inject attributes: false
* Javascript inject forms: false
* Javascript referer pattern: null
* Javascript referer match domain: false
* Javascript source file: null
* Javascript X requested with: null
* Protected methods: HashSet size: 1: [0]: POST
* Protected pages size: 0
* Unprotected methods: Empty HashSet
* Unprotected pages size: 1
* TokenPerPage: true
* Enabled: true
* ValidateWhenNoSessionExists: false
* Action: org.owasp.csrfguard.action.Log
* Parameter: Message = [dyna] potential cross-site request forgery (CSRF) attack thwarted (user:%user%, ip:%remote_ip%, method:%request_method%, uri:%request_uri%, error:%exception_message%)
* Action: org.owasp.csrfguard.action.Redirect
* Parameter: Page = /gdml/error.htm
* Action: org.owasp.csrfguard.action.Rotate
*****************************************************
它似乎正在使用默认的 Javascript 属性。除了 Javascript 部分,我可以更改 Owasp.CsrfGuard.properties 属性。也许它们在启动期间稍后会被覆盖。
无论如何,当我尝试登录时,调用了一个 JS,但我总是得到一个错误:
WARNING: [dyna] potential cross-site request forgery (CSRF) attack thwarted (user:giandrea77, ip:10.211.55.2, method:POST, uri:/gdml/authenticate.htm, error:required token is missing from the request)
如果我尝试查看页面源代码,我看不到包含的 JS (csrfguard.js)。那么,如何确定 JS 配置正确?
安德里亚
为了通过 "NewTokenLandingPage" 使令牌自动形成 POST,您需要确保您的客户端和服务器之间没有活动会话。所以,清理所有的cookies再试一次。
此外,提供"csrfguard.js"的JavascriptServlet是另一种CSRF防御机制
您的尝试看起来像 basic installation 没有 ajax 保护。
要提供 Ajax 保护,您的应用程序页面应至少指向 JavaScriptServlet,如下所示:
<!-- OWASP CSRFGuard Ajax Support -->
<script src="/JavaScriptServlet"></script>
您可以在 CSRFGuard Configuration 查看更多内容。