CSRF令牌不起作用?

时间:2015-12-06 06:11:35

标签: csrf-protection

您好我目前正在工作 CSRFGuard 3 ,令牌正确验证,但我收到以下错误。

java.lang.RuntimeException: unable to locate expected parameter Message
at org.owasp.csrfguard.action.AbstractAction.getParameter(AbstractAction.java:61)
at org.owasp.csrfguard.action.Log.execute(Log.java:44)
at org.owasp.csrfguard.CsrfGuard.isValidRequest(CsrfGuard.java:373)
at org.owasp.csrfguard.CsrfGuardFilter.doFilter(CsrfGuardFilter.java:78)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:953)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1023)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:310)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)

请检查下面的代码

Owasp.CsrfGuard.properties

org.owasp.csrfguard.Logger=org.owasp.csrfguard.log.ConsoleLogger
org.owasp.csrfguard.ProtoctedMethod=POST,PUT,DELETE
org.owasp.csrfguard.TokenPerPage=true
org.owasp.csrfguard.Rotate=false
org.owasp.csrfguard.Ajax=true
org.owasp.csrfguard.action.Log=org.owasp.csrfguard.action.Log
org.owasp.csrfguard.Log.Message=potential cross-site request forgery attack    thwarted(user %user%, ip %remote_ip%)
org.owasp.csrfguard.Redirect=org.owasp.csrfguard.action.Redirect
org.owasp.csrfguard.TokenName=OWASP_CSRFTOKEN
org.owasp.csrfguard.SessionKey=OWASP_CSRFTOKEN
org.owasp.csrfguard.TokenLength=32
org.owasp.csrfguard.PRNG=SHA1PRNG
**org.owasp.csrfguard.Protect=false** 
org.owasp.csrfguard.unprotected.index=/contectpath/index.jsp

当标记org.owasp.csrfguard.Protect = true .Token验证方法时,它自己不会调用。

的web.xml

        <listener>
        <listener-class>org.owasp.csrfguard.CsrfGuardServletContextListener</listener-class>
    </listener>
        <listener>
            <listener-class>org.owasp.csrfguard.CsrfGuardHttpSessionListener</listener-class>
        </listener>
        <context-param>
            <param-name>Owasp.CsrfGuard.Config</param-name>
            <param-value>/WEB-INF/config/Owasp.CsrfGuard.properties</param-value>
        </context-param>
        <context-param>
            <param-name>Owasp.CsrfGuard.Config.Print</param-name>
            <param-value>true</param-value>
        </context-param>

        <filter>
            <filter-name>CSRFGuard</filter-name>
            <filter-class>org.owasp.csrfguard.CsrfGuardFilter</filter-class>
        </filter>
        <filter-mapping>
            <filter-name>CSRFGuard</filter-name>
            <url-pattern>*.html</url-pattern>
        </filter-mapping>

点击F12,我可以看到 csrf:token-value 值。

任何人帮助我。我做错了什么

1 个答案:

答案 0 :(得分:0)

OWASP Blog中的配置示例不正确。日志操作&#34;消息&#34;参数需要从该属性中的org.owasp.csrfguard.Log.Message =更改为org.owasp.csrfguard.action.Log.Message = .action

配置参考:https://www.owasp.org/index.php/CSRFGuard_3_Configuration