CSRFGuard - 请求令牌与页面令牌&如何为每个会话生成令牌
我正在尝试合并CSRFGuard库(< org.owasp csrfguard 3.1.0>)以纠正应用程序中的一些CSRF漏洞。但是,按照指定here进行配置后,我现在收到以下消息:
在这里,我想解释一下我收到此消息时的情况 - 假设我的应用程序登陆页面是这样的
此页面的代码段(HelloWorld.jsp)是
<%@ page language="java" contentType="text/html; charset=ISO-8859-1"
pageEncoding="ISO-8859-1"%>
<%@ taglib uri="csrfguard.tld" prefix="csrf" %>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Insert title here</title>
<script>
function getParameterByName(name, url) {
if (!url) {
url = window.location.href;
}
name = name.replace(/[\[\]]/g, "\\$&");
var regex = new RegExp("[?&]" + name + "(=([^&#]*)|&|#|$)"),
results = regex.exec(url);
if (!results) return null;
if (!results[2]) return '';
return decodeURIComponent(results[2].replace(/\+/g, " "));
}
function changePage(form){
var selectedIndex = form.selectedPage.selectedIndex;
var selectedValue = form.selectedPage.options[selectedIndex].value;
var csrftoken = getParameterByName("OWASP_CSRFTOKEN", form.action);
if (selectedValue == 'A') {
form.action = "A.html?OWASP_CSRFTOKEN="+csrftoken;
}
if (selectedValue == 'LA') {
form.action = "helloWorld.do?OWASP_CSRFTOKEN="+csrftoken;
}
form.submit();
};
</script>
</head>
<body>
<h3>Select request page from this dropdown</h3>
<form name="test" method="post" action="" id="LAP">
<select name="selectedPage" class="pageSelection" >
<option value="LA" selected>Landing Page</option>
<option value="A">A page</option>
</select>
<input type="button" name="adding" value="Go" onClick="changePage(this.form);"/>
<!--<input type="submit" name="adding" value="submit"/>-->
</form>
</body>
<script src="JavaScriptServlet"></script>
</html>
现在我正尝试使用下拉菜单的下拉菜单导航到 A.html 页面。页面看起来是
现在我注意到新令牌未生成表单
<!DOCTYPE html>
<html>
<head>
<meta charset="ISO-8859-1">
<title>A page</title>
<script>
function getParameterByName(name, url) {
if (!url) {
url = window.location.href;
}
name = name.replace(/[\[\]]/g, "\\$&");
var regex = new RegExp("[?&]" + name + "(=([^&#]*)|&|#|$)"),
results = regex.exec(url);
if (!results) return null;
if (!results[2]) return '';
return decodeURIComponent(results[2].replace(/\+/g, " "));
}
function changePage(form){
var selectedIndex = form.selectedPage.selectedIndex;
var selectedValue = form.selectedPage.options[selectedIndex].value;
var csrftoken = getParameterByName("OWASP_CSRFTOKEN", form.action);
if (selectedValue == 'A') {
form.action = "A.html?OWASP_CSRFTOKEN="+csrftoken;
}
if (selectedValue == 'LA') {
form.action = "helloWorld.do?OWASP_CSRFTOKEN="+csrftoken;
}
form.submit();
};
</script>
</head>
<body>
<h1>A Page</h1>
<h3>Select request page from this dropdown</h3>
<form name="test" method="post" action="" id="LAP">
<select name="selectedPage" class="pageSelection" >
<option value="LA">Landing Page</option>
<option value="A" selected>A page</option>
</select>
<input type="button" name="adding" value="Go" onClick="changePage(this.form);"/>
</form>
</body>
<script src="JavaScriptServlet"></script>
</html>
现在,我将使用选择下拉列表&amp ;;从 A.html 页面进入登录页面。再次尝试通过使用下拉选择登录页面来覆盖 A.html 页面,然后我在tomcat服务器控制台上收到此错误消息
“警告:潜在的跨站点请求伪造(CSRF)攻击受阻 (user:,ip:0:0:0:0:0:0:0:1,方法:POST, uri:/csrfguard-test-3.1.0-SNAPSHOT/A.html,错误:请求令牌 不匹配页面标记)“
在这里,我无法理解我在这里做错了什么。
请帮助我,因为在我的实际应用中实施非常重要。如果有任何其他信息可以让您更容易理解,请告诉我。提前谢谢。
我正在添加的其他配置细节如下。 它是我的web.xml文件
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" id="WebApp_ID" version="2.5">
<display-name>OWASP CSRFGuard Test</display-name>
<welcome-file-list>
<welcome-file>index.html</welcome-file>
<welcome-file>index.htm</welcome-file>
<welcome-file>index.jsp</welcome-file>
<welcome-file>default.html</welcome-file>
<welcome-file>default.htm</welcome-file>
<welcome-file>default.jsp</welcome-file>
</welcome-file-list>
<listener>
<listener-class>org.owasp.csrfguard.CsrfGuardServletContextListener</listener-class>
</listener>
<listener>
<listener-class>org.owasp.csrfguard.CsrfGuardHttpSessionListener</listener-class>
</listener>
<filter>
<filter-name>CSRFGuard</filter-name>
<filter-class>org.owasp.csrfguard.CsrfGuardFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CSRFGuard</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<servlet>
<servlet-name>JavaScriptServlet</servlet-name>
<servlet-class>org.owasp.csrfguard.servlet.JavaScriptServlet</servlet-class>
<init-param>
<param-name>inject-into-attributes</param-name>
<param-value>true</param-value>
</init-param>
<!--<init-param>
<param-name>inject-into-forms</param-name>
<param-value>true</param-value>
</init-param>-->
<init-param>
<param-name>source-file</param-name>
<param-value>/script/csrfguard.js</param-value>
</init-param>
</servlet>
<servlet-mapping>
<servlet-name>JavaScriptServlet</servlet-name>
<url-pattern>/JavaScriptServlet</url-pattern>
</servlet-mapping>
<servlet>
<description></description>
<display-name>HelloServlet</display-name>
<servlet-name>HelloServlet</servlet-name>
<servlet-class>org.owasp.csrfguard.test.HelloServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>HelloServlet</servlet-name>
<url-pattern>/HelloServlet</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>action</servlet-name>
<servlet-class>
org.apache.struts.action.ActionServlet
</servlet-class>
<init-param>
<param-name>config</param-name>
<param-value>
/WEB-INF/struts-config.xml
</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>action</servlet-name>
<url-pattern>*.do</url-pattern>
</servlet-mapping>
</web-app>
它是我的pom.xml
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>com</groupId>
<artifactId>csrfgaurdapp</artifactId>
<packaging>war</packaging>
<version>0.0.1-SNAPSHOT</version>
<name>csrfgaurdapp Maven Webapp</name>
<url>http://maven.apache.org</url>
<dependencies>
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
<version>3.8.1</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>servlet-api</artifactId>
<version>2.5</version>
</dependency>
<dependency>
<groupId>javax.servlet.jsp</groupId>
<artifactId>jsp-api</artifactId>
<version>2.1</version>
</dependency>
<dependency>
<groupId>org.owasp</groupId>
<artifactId>csrfguard</artifactId>
<version>3.1.0</version>
</dependency>
<dependency>
<groupId>org.apache.struts</groupId>
<artifactId>struts-core</artifactId>
<version>1.3.10</version>
</dependency>
<dependency>
<groupId>org.apache.struts</groupId>
<artifactId>struts-taglib</artifactId>
<version>1.3.10</version>
</dependency>
</dependencies>
<build>
<finalName>csrfgaurdapp</finalName>
</build>
</project>
0 个答案:
没有答案
相关问题
最新问题
- 我写了这段代码,但我无法理解我的错误
- 我无法从一个代码实例的列表中删除 None 值,但我可以在另一个实例中。为什么它适用于一个细分市场而不适用于另一个细分市场?
- 是否有可能使 loadstring 不可能等于打印?卢阿
- java中的random.expovariate()
- Appscript 通过会议在 Google 日历中发送电子邮件和创建活动
- 为什么我的 Onclick 箭头功能在 React 中不起作用?
- 在此代码中是否有使用“this”的替代方法?
- 在 SQL Server 和 PostgreSQL 上查询,我如何从第一个表获得第二个表的可视化
- 每千个数字得到
- 更新了城市边界 KML 文件的来源?