Scribd Logo
Upload

Welcome to Scribd!

  • MS22910172 - Lab 3

    Uploaded by

    Isuranga
    10 views5 pages
    The document provides instructions for securing a web application against cross-site request forgery (CSRF) attacks by implementing the OWASP CSRFGuard library, which involves adding dependencies to the project, configuring the web.xml file, setting properties for CSRFGuard behavior, changing forms to POST, implementing token validation in servlets, and including a hidden token field in forms. It describes using CSRFGuard.jar to add CSRF protection to a Java web application by handling token generation and validation.

    Original Description:

    Original Title

    MS22910172_Lab 3

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    The document provides instructions for securing a web application against cross-site request forgery (CSRF) attacks by implementing the OWASP CSRFGuard library, which involves adding dependencies to the project, configuring the web.xml file, setting properties for CSRFGuard behavior, changing forms to POST, implementing token validation in servlets, and including a hidden token field in forms. It describes using CSRFGuard.jar to add CSRF protection to a Java web application by handling token generation and validation.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    10 views5 pages

    MS22910172 - Lab 3

    Uploaded by

    Isuranga
    The document provides instructions for securing a web application against cross-site request forgery (CSRF) attacks by implementing the OWASP CSRFGuard library, which involves adding dependencies to the project, configuring the web.xml file, setting properties for CSRFGuard behavior, changing forms to POST, implementing token validation in servlets, and including a hidden token field in forms. It describes using CSRFGuard.jar to add CSRF protection to a Java web application by handling token generation and validation.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 5

    Sri Lanka Institute of Information Technology.

    SOFTWARE SECURITY - IE5042


    Lab 03

    Student ID Student Name


    MS22910172 P. M. I. N. Kumara.

    Master of Science in Information Technology Cyber


    Security.

    1|Page
    • Secure the app against Cross site request forgery (CSRF) attack by using
    the Synchronizer token pattern or the Double submit cookie pattern.

    • If you are familiar with PHP or any other server-side technology, you
    may implement a similar fix on a similar web site.

    2|Page
    CSRFGuard.jar is used to secure the application from CSRF attacks.

    (1) Adding OWASP CSRFGuard project library to Maven

    • Add below dependency to Maven project pom.xml

    <! --
    https://mvnrepository.com/artifact/org.owasp/csrfguard -
    > <dependency>
    <groupId>org.owasp</groupId>
    <artifactId>csrfguard</artifactId>
    <version>3.0.0</version>
    </dependency>

    (2) Change WEB-INF.xml file

    Add below xml tags inside <web-app> tag of WEB-INF.xml

    <!-- Include Servelet Context Listener -->


    <listener>
    <listener-class>org.owasp.csrfguard.CsrfGuardServletContextListener</listener-class>
    </listener>
    <!-- Include HTTP Session Listener-->
    <listener>
    <listener-
    class>org.owasp.csrfguard.CsrfGuardHttpSessionListener</listener class>
    </listener>
    <!-- Define CsrfGuard.property file location -->
    <context-param>
    <param-name>Owasp.CsrfGuard.Config</param-name> <param
    value>WEB-INF/Owasp.CsrfGuard.properties</param-value> </context-
    param>

    <!-- OPTIONAL : used to log parsed properties to app log -->


    <context-param>

    3|Page
    <param-name>Owasp.CsrfGuard.Config.Print</param-name>
    <param-value>true</param-value>
    </context-param>

    <!-- Used to integrate CSRFGuard object and token verfification logic -->
    <filter>
    <filter-name>CSRFGuard</filter-name> <filter
    class>org.owasp.csrfguard.CsrfGuardFilter</filter-class>
    </filter>
    <!-- Apply CSRF protection to all urls -->

    <filter-mapping>
    <filter-name>CSRFGuard</filter-name>
    <url-pattern>/*</url-pattern>
    </filter-mapping>

    (3) Define behaviour of CSRFGuard in Owasp.CsrfGuard.properties

    org.owasp.csrfguard.Logger=org.owasp.csrfguard.log.ConsoleLogger
    org.owasp.csrfguard.ProtoctedMethod=POST,PUT,DELETE

    org.owasp.csrfguard.TokenPerPage=false
    org.owasp.csrfguard.Rotate=false
    org.owasp.csrfguard.Ajax=true

    org.owasp.csrfguard.action.Log=org.owasp.csrfguard.action.Log
    org.owasp.csrfguard.Log.Message=potential cross-site request forgery attack thwarted(user
    %user%, ip %remote_ip%)
    org.owasp.csrfguard.Redirect=org.owasp.csrfguard.action.Redirect
    org.owasp.csrfguard.TokenName=OWASP_CSRFTOKEN
    org.owasp.csrfguard.SessionKey=OWASP_CSRFTOKEN

    org.owasp.csrfguard.TokenLength=32
    org.owasp.csrfguard.PRNG=SHA1PRNG
    org.owasp.csrfguard.Protect=true
    org.owasp.csrfguard.unprotected.index=/contectpath/error.jsp

    4|Page
    (4) Change form method to "POST" in index.jsp

    (5) Implement doPost method in servelet

    (6) Set CSRF Token input element as form input

    <input type="hidden" name="token" value="<csrf:token-value/>"/>

    (7) Compare the received token with sent token

    String token = request.getHeader("token");


    String actualToken = CsrfGuard.PAGE_TOKENS_KEY;
    If(actualToken == token ){
    // redirect welcome.jsp
    }

    5|Page

    You might also like