我已经尝试了所有WSO2指南,以启用网络cookie上的CSRF属性,并提交身份验证端点webapp的GET方法形式,但是仍然无法实现结果。
在GET方法的响应中,身份验证端点遇到了“缺少反CSRF令牌” ZAP漏洞,因为它不包含隐藏参数-响应主体的表单提交标签中的csrf令牌。
提到的WSO2链接:
https://wso2.com/technical-reports/wso2-secure-engineering-guidelines#C03
ZAP漏洞中提供的信息:
No known Anti-CSRF token [anticsrf, CSRFToken, __RequestVerificationToken, csrfmiddlewaretoken, authenticity_token, OWASP_CSRFTOKEN, anoncsrf, csrf_token, _csrf, _csrfSecret] was found in the following HTML form: [Form 1: "tocommonauth" "username" "password" "chkRemember" "sessionDataKey" ].
authenticationendpoint webapp的web.xml
<?xml version="1.0" encoding="UTF-8"?><!--
~ Copyright (c) 2014, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
~
~ WSO2 Inc. licenses this file to you under the Apache License,
~ Version 2.0 (the "License"); you may not use this file except
~ in compliance with the License.
~ You may obtain a copy of the License at
~
~ http://www.apache.org/licenses/LICENSE-2.0
~
~ Unless required by applicable law or agreed to in writing,
~ software distributed under the License is distributed on an
~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
~ KIND, either express or implied. See the License for the
~ specific language governing permissions and limitations
~ under the License.
-->
<web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
version="3.0" metadata-complete="true">
<absolute-ordering />
<!-- OWASP CSRFGuard context listener used to read CSRF configuration -->
<listener>
<listener-class>org.owasp.csrfguard.CsrfGuardServletContextListener</listener-class>
</listener>
<!-- OWASP CSRFGuard session listener used to generate per-session CSRF
token -->
<listener>
<listener-class>org.owasp.csrfguard.CsrfGuardHttpSessionListener</listener-class>
</listener>
<!-- OWASP CSRFGuard per-application configuration property file location -->
<context-param>
<param-name>Owasp.CsrfGuard.Config</param-name>
<param-value>/repository/conf/security/Owasp.CsrfGuard.properties</param-value>
</context-param>
<!-- OWASP CSRFGuard filter used to validate CSRF token -->
<filter>
<filter-name>CSRFGuard</filter-name>
<filter-class>org.owasp.csrfguard.CsrfGuardFilter</filter-class>
</filter>
<!-- OWASP CSRFGuard filter mapping used to validate CSRF token -->
<filter-mapping>
<filter-name>CSRFGuard</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- OWASP CSRFGuard servlet that serves dynamic token injection JavaScript
(application can customize the URL pattern as required) -->
<servlet>
<servlet-name>JavaScriptServlet</servlet-name>
<servlet-class>org.owasp.csrfguard.servlet.JavaScriptServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>JavaScriptServlet</servlet-name>
<url-pattern>/csrfguard.js</url-pattern>
</servlet-mapping>
<!-- *************** Account Recovery Endpoint Context URL Configuration
********************** -->
<!--context-param> <param-name>IdentityManagementEndpointContextURL</param-name>
<param-value>https://localhost:9443/accountrecoveryendpoint</param-value>
</context-param -->
<context-param>
<param-name>AccountRecoveryRESTEndpointURL</param-name>
<param-value>/t/tenant-domain/api/identity/user/v1.0/</param-value>
</context-param>
<!-- *************** End of Authentication REST API URL Configuration ********************** -->
<!--Display scopes in the consent page. -->
<context-param>
<param-name>displayScopes</param-name>
<param-value>true</param-value>
</context-param>
<filter>
<filter-name>HttpHeaderSecurityFilter</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<init-param>
<param-name>hstsEnabled</param-name>
<param-value>false</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>HttpHeaderSecurityFilter</filter-name>
<url-pattern>*</url-pattern>
</filter-mapping>
<filter>
<filter-name>AuthenticationEndpointFilter</filter-name>
<filter-class>
org.wso2.carbon.identity.application.authentication.endpoint.util.filter.AuthenticationEndpointFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>AuthenticationEndpointFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter>
<filter-name>URLBasedCachePreventionFilter</filter-name>
<filter-class>org.wso2.carbon.ui.filters.cache.URLBasedCachePreventionFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>URLBasedCachePreventionFilter</filter-name>
<url-pattern>*.jsp</url-pattern>
</filter-mapping>
<filter>
<filter-name>ContentTypeBasedCachePreventionFilter</filter-name>
<filter-class>
org.wso2.carbon.ui.filters.cache.ContentTypeBasedCachePreventionFilter</filter-class>
<init-param>
<param-name>patterns</param-name>
<param-value>"text/html" ,"application/json" ,"plain/text"</param-value>
</init-param>
<init-param>
<param-name>filterAction</param-name>
<param-value>enforce</param-value>
</init-param>
<init-param>
<param-name>httpHeaders</param-name>
<param-value>
Cache-Control: no-store, no-cache, must-revalidate, private
</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>ContentTypeBasedCachePreventionFilter</filter-name>
<url-pattern>*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher>
</filter-mapping>
<listener>
<listener-class>
org.wso2.carbon.identity.application.authentication.endpoint.util.listener.AuthenticationEndpointContextListener</listener-class>
</listener>
<servlet>
<servlet-name>retry.do</servlet-name>
<jsp-file>/retry.jsp</jsp-file>
</servlet>
<servlet>
<servlet-name>wait.do</servlet-name>
<jsp-file>/long-wait.jsp</jsp-file>
</servlet>
<servlet>
<servlet-name>idf-confirm.do</servlet-name>
<jsp-file>/identifier-logout-confirm.jsp</jsp-file>
</servlet>
<servlet>
<servlet-name>dynamic_prompt.do</servlet-name>
<jsp-file>/dynamic_prompt.jsp</jsp-file>
</servlet>
<servlet>
<servlet-name>handle-multiple-sessions.do</servlet-name>
<jsp-file>/handle-multiple-sessions.jsp</jsp-file>
</servlet>
<servlet>
<servlet-name>claims.do</servlet-name>
<jsp-file>/requested-claims.jsp</jsp-file>
</servlet>
<servlet>
<servlet-name>oauth2_login.do</servlet-name>
<jsp-file>/login.jsp</jsp-file>
</servlet>
<servlet>
<servlet-name>oauth2_authz.do</servlet-name>
<jsp-file>/oauth2_authz.jsp</jsp-file>
</servlet>
<servlet>
<servlet-name>oauth2_consent.do</servlet-name>
<jsp-file>/oauth2_consent.jsp</jsp-file>
</servlet>
<servlet>
<servlet-name>oauth2_logout_consent.do</servlet-name>
<jsp-file>/oauth2_logout_consent.jsp</jsp-file>
</servlet>
<servlet>
<servlet-name>oauth2_logout.do</servlet-name>
<jsp-file>/logout.jsp</jsp-file>
</servlet>
<servlet>
<servlet-name>oauth2_error.do</servlet-name>
<jsp-file>/oauth2_error.jsp</jsp-file>
</servlet>
<servlet>
<servlet-name>samlsso_login.do</servlet-name>
<jsp-file>/login.jsp</jsp-file>
</servlet>
<servlet>
<servlet-name>samlsso_logout.do</servlet-name>
<jsp-file>/logout.jsp</jsp-file>
</servlet>
<servlet>
<servlet-name>samlsso_redirect.do</servlet-name>
<jsp-file>/login.jsp</jsp-file>
</servlet>
<servlet>
<servlet-name>samlsso_notification.do</servlet-name>
<jsp-file>/samlsso_notification.jsp</jsp-file>
</servlet>
<servlet>
<servlet-name>openid_login.do</servlet-name>
<jsp-file>/login.jsp</jsp-file>
</servlet>
<servlet>
<servlet-name>openid_profile.do</servlet-name>
<jsp-file>/openid_profile.jsp</jsp-file>
</servlet>
<servlet>
<servlet-name>passivests_login.do</servlet-name>
<jsp-file>/login.jsp</jsp-file>
</servlet>
<servlet>
<servlet-name>tenantlistrefresher.do</servlet-name>
<jsp-file>/tenant_refresh_endpoint.jsp</jsp-file>
</servlet>
<servlet>
<servlet-name>registration.do</servlet-name>
<jsp-file>/registration.jsp</jsp-file>
</servlet>
<servlet>
<servlet-name>consent.do</servlet-name>
<jsp-file>/consent.jsp</jsp-file>
</servlet>
<servlet>
<servlet-name>cookie_policy.do</servlet-name>
<jsp-file>/cookie_policy.jsp</jsp-file>
</servlet>
<servlet>
<servlet-name>privacy_policy.do</servlet-name>
<jsp-file>/privacy_policy.jsp</jsp-file>
</servlet>
<servlet>
<servlet-name>authenticate.do</servlet-name>
<jsp-file>/authenticate.jsp</jsp-file>
</servlet>
<servlet>
<servlet-name>error.do</servlet-name>
<jsp-file>/generic-exception-response.jsp</jsp-file>
</servlet>
<servlet-mapping>
<servlet-name>retry.do</servlet-name>
<url-pattern>/retry.do</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>wait.do</servlet-name>
<url-pattern>/wait.do</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>idf-confirm.do</servlet-name>
<url-pattern>/idf-confirm.do</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>dynamic_prompt.do</servlet-name>
<url-pattern>/dynamic_prompt.do</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>handle-multiple-sessions.do</servlet-name>
<url-pattern>/handle-multiple-sessions.do</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>oauth2_login.do</servlet-name>
<url-pattern>/oauth2_login.do</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>oauth2_authz.do</servlet-name>
<url-pattern>/oauth2_authz.do</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>oauth2_consent.do</servlet-name>
<url-pattern>/oauth2_consent.do</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>oauth2_logout_consent.do</servlet-name>
<url-pattern>/oauth2_logout_consent.do</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>oauth2_logout.do</servlet-name>
<url-pattern>/oauth2_logout.do</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>oauth2_error.do</servlet-name>
<url-pattern>/oauth2_error.do</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>samlsso_login.do</servlet-name>
<url-pattern>/samlsso_login.do</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>samlsso_logout.do</servlet-name>
<url-pattern>/samlsso_logout.do</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>samlsso_redirect.do</servlet-name>
<url-pattern>/samlsso_redirect.do</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>samlsso_notification.do</servlet-name>
<url-pattern>/samlsso_notification.do</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>openid_login.do</servlet-name>
<url-pattern>/openid_login.do</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>openid_profile.do</servlet-name>
<url-pattern>/openid_profile.do</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>passivests_login.do</servlet-name>
<url-pattern>/passivests_login.do</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>tenantlistrefresher.do</servlet-name>
<url-pattern>/tenantlistrefresher.do</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>registration.do</servlet-name>
<url-pattern>/registration.do</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>claims.do</servlet-name>
<url-pattern>/claims.do</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>consent.do</servlet-name>
<url-pattern>/consent.do</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>cookie_policy.do</servlet-name>
<url-pattern>/cookie_policy.do</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>privacy_policy.do</servlet-name>
<url-pattern>/privacy_policy.do</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>authenticate.do</servlet-name>
<url-pattern>/authenticate.do</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>error.do</servlet-name>
<url-pattern>/error.do</url-pattern>
</servlet-mapping>
<error-page>
<exception-type>java.lang.Throwable</exception-type>
<location>/generic-exception-response.jsp</location>
</error-page>
<!-- custom error pages -->
<error-page>
<error-code>400</error-code>
<location>/errors/error_400.html</location>
</error-page>
<error-page>
<error-code>401</error-code>
<location>/errors/error_401.html</location>
</error-page>
<error-page>
<error-code>403</error-code>
<location>/errors/error_403.html</location>
</error-page>
<error-page>
<error-code>404</error-code>
<location>/errors/error_404.html</location>
</error-page>
<error-page>
<error-code>405</error-code>
<location>/errors/error_405.html</location>
</error-page>
<error-page>
<error-code>408</error-code>
<location>/errors/error_408.html</location>
</error-page>
<error-page>
<error-code>410</error-code>
<location>/errors/error_410.html</location>
</error-page>
<error-page>
<error-code>500</error-code>
<location>/errors/error_500.html</location>
</error-page>
<error-page>
<error-code>502</error-code>
<location>/errors/error_502.html</location>
</error-page>
<error-page>
<error-code>503</error-code>
<location>/errors/error_503.html</location>
</error-page>
<error-page>
<error-code>504</error-code>
<location>/errors/error_504.html</location>
</error-page>
<error-page>
<location>/errors/error.html</location>
</error-page>
<session-config>
<cookie-config>
<secure>true</secure>
</cookie-config>
</session-config>
</web-app>
答案 0 :(得分:0)
默认情况下,产品随附的所有Web应用程序都受到CSRF攻击的保护[1]
对于WSO2 Identity Server,用于缓解CSRF的配置 默认情况下,对所有已构建的应用程序启用攻击 进入产品。因此,您需要应用这些配置 手动(仅当您已部署任何自定义应用程序时) 产品。
所以您不需要任何额外的配置。
根据ZAP漏洞扫描中提供的信息,它会将身份验证端点Web应用程序内部的commonauth请求检测为漏洞。错了,让我解释一下原因。
什么是身份验证端点Web应用程序和commonauth请求?
在WSO2身份服务器中,authenticationendpoint服务于登录,并在身份验证期间同意页面。然后,使用commonauth请求将用户操作(例如凭据,OTP代码,联合登录流,同意批准)提交到服务器。 因此,这些交互是在未验证用户身份之前通过浏览器进行的。
什么是CSRF? [2]
跨站点请求伪造(也称为CSRF)是一种网络安全 允许攻击者诱使用户执行的漏洞 他们不打算执行的动作。
因此,由于用户尚未通过身份验证,因此攻击者无法通过提交这些身份验证页面获得其他好处。
因此,将它们配置为从CSRF保护中跳过。您可以在IS_HOME / repository / conf / security / Owasp.CsrfGuard.Carbon.properties文件中检查那些端点
# please remove the below entry to enable protection for services.
org.owasp.csrfguard.unprotected.Services=%servletContext%/services/*
org.owasp.csrfguard.unprotected.commonauth=%servletContext%/commonauth/*
org.owasp.csrfguard.unprotected.samlsso=%servletContext%/samlsso/*
org.owasp.csrfguard.unprotected.authenticationendpoint=%servletContext%/authenticationendpoint/*
org.owasp.csrfguard.unprotected.wso2=%servletContext%/wso2/*
org.owasp.csrfguard.unprotected.oauth2=%servletContext%/oauth2/*
org.owasp.csrfguard.unprotected.oidc=%servletContext%/oidc/*
org.owasp.csrfguard.unprotected.openid=%servletContext%/openid/*
org.owasp.csrfguard.unprotected.openidserver=%servletContext%/openidserver/*
org.owasp.csrfguard.unprotected.passivests=%servletContext%/passivests/*
org.owasp.csrfguard.unprotected.acs=%servletContext%/acs/*
org.owasp.csrfguard.unprotected.iwa=%servletContext%/iwa/*
org.owasp.csrfguard.unprotected.oauthiwa=%servletContext%/commonauth/iwa/*
org.owasp.csrfguard.unprotected.thrift=%servletContext%/thriftAuthenticator/*
org.owasp.csrfguard.unprotected.mex=%servletContext%/mexut/*
org.owasp.csrfguard.unprotected.identity=%servletContext%/identity/*
如您所见,这些是身份验证流程中使用的端点。