Issue with the token-per-page support for REST endpoint containing path parameters #146
Comments
|
hi, @forgedhallpass We may have a peculiar use case, but the changes here have made it difficult / impossible for us to test resources which are protected by CSRFGuard. Until 4.0.0 we were making a POST to JavaScriptServlet with the Such testing (via frameworks with Javascript execution support) is presumably common, and i'm not sure how they can now be supported... Edit: there is an interesting comment on this commit:
this does not seem to be the case, but if it was it might be enough for us to adapt tests to use. |
|
hello @jellisgwn,
You can still mimic the same behavior in a slightly different manner:
Could you please elaborate on this? You mean you want to create automated (integration) tests that are not executed through a browser? Normally if you don't have a browser client, you don't need CSRF support, hence you could just disable CSRFGuard for the back-end (module) integration tests. For front-end/e2e test scenarios you might want to consider using Selenium or other frameworks that execute JavaScript through WebDriver or a similar technology.
The customizable user-properties and their relations/valid combinations are mostly documented in the csrfguard.properties. There is a sample test application intended for testing different combinations of such properties. You can build it yourself, or download the pre-built WAR from the Maven Central repository. If you find a combination of parameters that do not work together as expected, please create an issue, attach the used configurations and describe the steps so I can try to reproduce it. The project has been moved to its official location, please use that one in the future. |
|
Hi, @forgedhallpass Yep, i was trying to avoid having to do step 2, but most likely that is what it's going to take. We have a bunch of tests using a fairly lightweight framework: https://github.com/rest-assured/rest-assured There are indeed lots of other ways to do the testing but these are the tests that we have :) Ok, new issues in the new place. As these issues were all still open it seemed as good a place as any. |
You won't be able to do skip this step. The purpose of this approach is to make stealing page tokens harder. Basically you are trying to mimic/mock the front-end logic of CSRFGuard. Extracting the master token from the JavaScript is pretty easy to implement using a regex, but depending on your requirements, certain parameter combinations might require additional (more complex) logic. All in all, what you are doing is not a good practice, because most probably you will end up in similar situations every time a 3rd party library you are using is being modified. Normally:
|
|
My only input here was that the tokens were returned from the POST prior to 4.0.0. |
Yes, and I have tried to explain it to you:
I hope I was able to make myself clear. Let me know if you run into problems :) |
|
All clear. |
Hey, I'm trying to upgrade csrfGuard from 3.1.0 to 4.0.0. i tried to follow above 3 steps you given but i didn't get token back from last step which is post call. i just get empty object in pageToken. response preview {pageToken:{}}; |
|
Hello @Vidhi-123, What exactly do you want to achieve? Also note that the official repository is at: https://github.com/OWASP/www-project-csrfguard |
|
hello @forgedhallpass, I want to upgrade csrfguard jar from 3.1.0 to 4.0.0 , i have followed the same as given in https://github.com/OWASP/www-project-csrfguard. when i try to login my master token has generated , then i extract that token from javascriptservlet and try to make POST call for javascriptServlet to get page token but i got empty object in that. |
|
On Fri, 17 Dec 2021 at 2:58 PM, forgedhallpass ***@***.***> wrote:
Hello @Vidhi-123 <https://github.com/Vidhi-123>,
What exactly do you want to achieve?
Also note that the official repository is at:
https://github.com/OWASP/www-project-csrfguard
—
Reply to this email directly, view it on GitHub
<#146 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AJONPKJOCAHCTVR44O2H7V3URL7DDANCNFSM4RLKTGTA>
.
Triage notifications on the go with GitHub Mobile for iOS
<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675>
or Android
<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.
You are receiving this because you were mentioned.Message ID:
***@***.***>
Hi I have already replied back with my issue can u please help me out for
the same
Regards
Vidhi shah
|
You said upgrade, and the question from the previous user was about mimicking/replicating the JavaScript logic for integration testing purposes. These are two different topics, and the latter was answered above. I'll also repeat, this is NOT the official OWASP CSRF Guard repository! The new CSRF Guard dependencies are described here: https://github.com/OWASP/www-project-csrfguard#using-with-maven. There is also a test application that is configured to use the latest version of the solution. You can use that as an example and for testing. The details on how to build it can be found on the readme page's "Building the code section". Relevant discussion: OWASP/www-project-csrfguard#43 |
Example:
/departments/{dept}/employees/{id}The
deptandidstrings are dynamic path parameters. Creating page tokens for the whole path could rapidly lead to performance issues and might also defeat the reason of using page tokens, because an attacker could force the solution to revert to master token validation by providing unique identifier to path parameters. The severity of this problem is lower, because the attacker must have access to the master token.Possible solution:
/departments/.*/employees/.*)The text was updated successfully, but these errors were encountered: