Professional Documents
Culture Documents
MS22910172 - Lab 3
MS22910172 - Lab 3
1|Page
• Secure the app against Cross site request forgery (CSRF) attack by using
the Synchronizer token pattern or the Double submit cookie pattern.
• If you are familiar with PHP or any other server-side technology, you
may implement a similar fix on a similar web site.
2|Page
CSRFGuard.jar is used to secure the application from CSRF attacks.
<! --
https://mvnrepository.com/artifact/org.owasp/csrfguard -
> <dependency>
<groupId>org.owasp</groupId>
<artifactId>csrfguard</artifactId>
<version>3.0.0</version>
</dependency>
3|Page
<param-name>Owasp.CsrfGuard.Config.Print</param-name>
<param-value>true</param-value>
</context-param>
<!-- Used to integrate CSRFGuard object and token verfification logic -->
<filter>
<filter-name>CSRFGuard</filter-name> <filter
class>org.owasp.csrfguard.CsrfGuardFilter</filter-class>
</filter>
<!-- Apply CSRF protection to all urls -->
<filter-mapping>
<filter-name>CSRFGuard</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
org.owasp.csrfguard.Logger=org.owasp.csrfguard.log.ConsoleLogger
org.owasp.csrfguard.ProtoctedMethod=POST,PUT,DELETE
org.owasp.csrfguard.TokenPerPage=false
org.owasp.csrfguard.Rotate=false
org.owasp.csrfguard.Ajax=true
org.owasp.csrfguard.action.Log=org.owasp.csrfguard.action.Log
org.owasp.csrfguard.Log.Message=potential cross-site request forgery attack thwarted(user
%user%, ip %remote_ip%)
org.owasp.csrfguard.Redirect=org.owasp.csrfguard.action.Redirect
org.owasp.csrfguard.TokenName=OWASP_CSRFTOKEN
org.owasp.csrfguard.SessionKey=OWASP_CSRFTOKEN
org.owasp.csrfguard.TokenLength=32
org.owasp.csrfguard.PRNG=SHA1PRNG
org.owasp.csrfguard.Protect=true
org.owasp.csrfguard.unprotected.index=/contectpath/error.jsp
4|Page
(4) Change form method to "POST" in index.jsp
5|Page