我正在尝试在我正在更新的 Web 应用程序中实现 OWASP CSRF Guard(用 Java 17 编写,在 tomcat 10.1.25 服务器上运行)。我们一直在使用 ESAPI 库,但由于我们只使用了其中的 6 个独特方法,因此我们决定使用较小的库。根据我所做的所有研究,我实际上只需要使用 OWASP Java HTML Sanitizer 和 OWASP CSRF Guard。我实现了 HTML Sanitizer,没有任何问题,但我似乎无法使用 CSRF Guard 解决一些问题。
我一直在尝试阅读并应用我找到的示例代码:
但我一定没有理解它并正确应用它。事情是这样的:
doPost()
方法未运行有时启动应用程序后,我会立即进入空白页面。
我的
web.xml
看起来像:
<context-param>
<param-name>Owasp.CsrfGuard.Config</param-name>
<param-value>WEB-INF/csrfguard.properties</param-value>
</context-param>
<listener>
<listener-class>org.owasp.csrfguard.CsrfGuardServletContextListener</listener-class>
</listener>
<listener>
<listener-class>org.owasp.csrfguard.CsrfGuardHttpSessionListener</listener-class>
</listener>
<filter>
<filter-name>AccessFilter</filter-name>
<filter-class>wy.web.app.security.AccessFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>AccessFilter</filter-name>
<url-pattern>/*</url-pattern> <!-- */ -->
</filter-mapping>
<filter>
<filter-name>CSRFGuard</filter-name>
<filter-class>org.owasp.csrfguard.CsrfGuardFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CSRFGuard</filter-name>
<url-pattern>/*</url-pattern> <!-- */ -->
</filter-mapping>
<servlet>
<servlet-name>JavaScriptServlet</servlet-name>
<servlet-class>org.owasp.csrfguard.servlet.JavaScriptServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>JavaScriptServlet</servlet-name>
<url-pattern>/JavaScriptServlet</url-pattern>
</servlet-mapping>
<session-config>
<session-timeout>30</session-timeout>
</session-config>
<welcome-file-list>
<welcome-file>login.jsp</welcome-file>
</welcome-file-list>
我的
csrfguard.properties
文件如下:
org.owasp.csrfguard.configuration.provider.factory = org.owasp.csrfguard.config.PropertiesConfigurationProviderFactory
org.owasp.csrfguard.Enabled = true
# have test both "true" and "false"
org.owasp.csrfguard.ValidateWhenNoSessionExists = true
org.owasp.csrfguard.TokenLength = 32
org.owasp.csrfguard.TokenName = OWASP-CSRFTOKEN
org.owasp.csrfguard.SessionKey = OWASP-CSRFTOKEN
org.owasp.csrfguard.PRNG = SHA1PRNG
org.owasp.csrfguard.PRNG.Provider = SUN
org.owasp.csrfguard.Ajax = true
org.owasp.csrfguard.LogicalSessionExtractor = org.owasp.csrfguard.session.SessionTokenKeyExtractor
org.owasp.csrfguard.JavascriptServlet.sourceFile = WEB-INF/Owasp.CsrfGuard.js
org.owasp.csrfguard.JavascriptServlet.domainStrict = false
org.owasp.csrfguard.JavascriptServlet.cacheControl = private, maxage=28800, no-cache, no-store, must-revalidate
org.owasp.csrfguard.JavascriptServlet.refererPattern = .*
# have test both "true" and "false"
org.owasp.csrfguard.JavascriptServlet.refererMatchProtocol = false
# have test both "true" and "false"
org.owasp.csrfguard.JavascriptServlet.refererMatchDomain = false
org.owasp.csrfguard.JavascriptServlet.injectIntoForms = true
org.owasp.csrfguard.JavascriptServlet.injectGetForms = true
org.owasp.csrfguard.JavascriptServlet.injectFormAttributes = true
org.owasp.csrfguard.JavascriptServlet.injectIntoAttributes = true
org.owasp.csrfguard.JavascriptServlet.injectIntoDynamicNodes = false
org.owasp.csrfguard.JavascriptServlet.xRequestedWith = OWASP CSRFGuard Project
org.owasp.csrfguard.JavascriptServlet.UnprotectedExtensions = js, css, gif, png, ico, jpg
org.owasp.csrfguard.configOverlay.hierarchy = file:WEB-INF/csrfguard.properties
# Mark the login page as unprotected, at least for testing
org.owasp.csrfguard.unprotected.Login = %servletContext%/login.jsp
org.owasp.csrfguard.unprotected.Error = %servletContext%/error.jsp
# Actions to perform when an attack is detected
# 1. Log the information
org.owasp.csrfguard.action.Log = org.owasp.csrfguard.action.Log
org.owasp.csrfguard.action.Log.Message = Potential cross-site request forgery (CSRF) attack thwarted (user:%user%, ip:%remote_ip%, method:%request_method%, uri:%request_uri%, error:%exception_message%)
# 2. Rotate the token; not supported with AJAX
#org.owasp.csrfguard.action.Rotate = org.owasp.csrfguard.action.Rotate
# 3. Invalidate the token that was misused
#org.owasp.csrfguard.action.Invalidate=org.owasp.csrfguard.action.Invalidate
# 4. Redirect the user/hacker to a specific page
#org.owasp.csrfguard.action.Redirect = org.owasp.csrfguard.action.Redirect
#org.owasp.csrfguard.action.Redirect.Page = /Owasp.CsrfGuard.Test/error.html
org.owasp.csrfguard.Logger = org.owasp.csrfguard.log.JavaLogger
org.owasp.csrfguard.log.JavaLogger.level = TRACE
org.owasp.csrfguard.Config.Print = true
org.owasp.csrfguard.forceSynchronousAjax = true
为什么下一页无法加载?为什么没有错误?
我在写这篇文章的时候找到了这个问题的答案!在我描述的过程的#5 中,我想在别人的
csrfguard.properties
文件中看到这一行:
org.owasp.csrfguard.ProtectedMethods=POST
但是由于它在 CSRF Guard 的文件中被注释掉,我认为它有一些默认设置 - 但显然没有!添加该行解决了问题!
我还认为,如果我设置了错误页面,我可能会更早注意到这个问题。