使用 OWASP CSRF Guard 时的空白页和响应

问题描述 投票:0回答:1

我正在尝试在我正在更新的 Web 应用程序中实现 OWASP CSRF Guard(用 Java 17 编写,在 tomcat 10.1.25 服务器上运行)。我们一直在使用 ESAPI 库,但由于我们只使用了其中的 6 个独特方法,因此我们决定使用较小的库。根据我所做的所有研究,我实际上只需要使用 OWASP Java HTML Sanitizer 和 OWASP CSRF Guard。我实现了 HTML Sanitizer,没有任何问题,但我似乎无法使用 CSRF Guard 解决一些问题。

我一直在尝试阅读并应用我找到的示例代码:

但我一定没有理解它并正确应用它。事情是这样的:

  1. 我运行我的应用程序(从 Eclipse)
  2. 服务器启动没有问题(我看到 csrf 防护配置的输出)
  3. 网络应用程序打开(但图像和 CSS 文件不加载)
  4. 我尝试登录网络应用程序
  5. 登录 Servlet 已初始化,但 
    doPost()
    方法未运行
  6. 它把我带到了一个空白页

有时启动应用程序后,我会立即进入空白页面。

我的

web.xml
看起来像:

  <context-param>
    <param-name>Owasp.CsrfGuard.Config</param-name>
    <param-value>WEB-INF/csrfguard.properties</param-value>
  </context-param>
  
  <listener>
    <listener-class>org.owasp.csrfguard.CsrfGuardServletContextListener</listener-class>
  </listener>
  
  <listener>
    <listener-class>org.owasp.csrfguard.CsrfGuardHttpSessionListener</listener-class>
  </listener>
  
  <filter>
    <filter-name>AccessFilter</filter-name>
    <filter-class>wy.web.app.security.AccessFilter</filter-class>
  </filter>
  <filter-mapping>
    <filter-name>AccessFilter</filter-name>
    <url-pattern>/*</url-pattern> <!-- */ -->
  </filter-mapping>
  
  <filter>
    <filter-name>CSRFGuard</filter-name>
    <filter-class>org.owasp.csrfguard.CsrfGuardFilter</filter-class>
  </filter>
  <filter-mapping>
    <filter-name>CSRFGuard</filter-name>
    <url-pattern>/*</url-pattern> <!-- */ -->
  </filter-mapping>
  
  <servlet>
    <servlet-name>JavaScriptServlet</servlet-name>
    <servlet-class>org.owasp.csrfguard.servlet.JavaScriptServlet</servlet-class>
  </servlet>
  
  <servlet-mapping>
    <servlet-name>JavaScriptServlet</servlet-name>
    <url-pattern>/JavaScriptServlet</url-pattern>
  </servlet-mapping>
    
  <session-config>
    <session-timeout>30</session-timeout>
  </session-config>
  <welcome-file-list>
    <welcome-file>login.jsp</welcome-file>
  </welcome-file-list>

我的

csrfguard.properties
文件如下:

org.owasp.csrfguard.configuration.provider.factory = org.owasp.csrfguard.config.PropertiesConfigurationProviderFactory
org.owasp.csrfguard.Enabled = true

# have test both "true" and "false"
org.owasp.csrfguard.ValidateWhenNoSessionExists = true

org.owasp.csrfguard.TokenLength = 32
org.owasp.csrfguard.TokenName = OWASP-CSRFTOKEN
org.owasp.csrfguard.SessionKey = OWASP-CSRFTOKEN
org.owasp.csrfguard.PRNG = SHA1PRNG
org.owasp.csrfguard.PRNG.Provider = SUN

org.owasp.csrfguard.Ajax = true

org.owasp.csrfguard.LogicalSessionExtractor = org.owasp.csrfguard.session.SessionTokenKeyExtractor

org.owasp.csrfguard.JavascriptServlet.sourceFile = WEB-INF/Owasp.CsrfGuard.js
org.owasp.csrfguard.JavascriptServlet.domainStrict = false
org.owasp.csrfguard.JavascriptServlet.cacheControl = private, maxage=28800, no-cache, no-store, must-revalidate
org.owasp.csrfguard.JavascriptServlet.refererPattern = .*
# have test both "true" and "false"
org.owasp.csrfguard.JavascriptServlet.refererMatchProtocol = false
# have test both "true" and "false"
org.owasp.csrfguard.JavascriptServlet.refererMatchDomain = false
org.owasp.csrfguard.JavascriptServlet.injectIntoForms = true
org.owasp.csrfguard.JavascriptServlet.injectGetForms = true
org.owasp.csrfguard.JavascriptServlet.injectFormAttributes = true
org.owasp.csrfguard.JavascriptServlet.injectIntoAttributes = true
org.owasp.csrfguard.JavascriptServlet.injectIntoDynamicNodes = false
org.owasp.csrfguard.JavascriptServlet.xRequestedWith = OWASP CSRFGuard Project
org.owasp.csrfguard.JavascriptServlet.UnprotectedExtensions = js, css, gif, png, ico, jpg

org.owasp.csrfguard.configOverlay.hierarchy = file:WEB-INF/csrfguard.properties

# Mark the login page as unprotected, at least for testing
org.owasp.csrfguard.unprotected.Login = %servletContext%/login.jsp
org.owasp.csrfguard.unprotected.Error = %servletContext%/error.jsp

# Actions to perform when an attack is detected
# 1. Log the information
org.owasp.csrfguard.action.Log = org.owasp.csrfguard.action.Log
org.owasp.csrfguard.action.Log.Message = Potential cross-site request forgery (CSRF) attack thwarted (user:%user%, ip:%remote_ip%, method:%request_method%, uri:%request_uri%, error:%exception_message%)
# 2. Rotate the token; not supported with AJAX
#org.owasp.csrfguard.action.Rotate = org.owasp.csrfguard.action.Rotate
# 3. Invalidate the token that was misused
#org.owasp.csrfguard.action.Invalidate=org.owasp.csrfguard.action.Invalidate
# 4. Redirect the user/hacker to a specific page
#org.owasp.csrfguard.action.Redirect = org.owasp.csrfguard.action.Redirect
#org.owasp.csrfguard.action.Redirect.Page = /Owasp.CsrfGuard.Test/error.html
org.owasp.csrfguard.Logger = org.owasp.csrfguard.log.JavaLogger
org.owasp.csrfguard.log.JavaLogger.level = TRACE
org.owasp.csrfguard.Config.Print = true
org.owasp.csrfguard.forceSynchronousAjax = true

为什么下一页无法加载?为什么没有错误?

java csrf owasp
1个回答
0
投票

我在写这篇文章的时候找到了这个问题的答案!在我描述的过程的#5 中,我想在别人的 

csrfguard.properties
文件中看到这一行:

org.owasp.csrfguard.ProtectedMethods=POST

但是由于它在 CSRF Guard 的文件中被注释掉,我认为它有一些默认设置 - 但显然没有!添加该行解决了问题!

我还认为,如果我设置了错误页面,我可能会更早注意到这个问题。

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.