File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes Security and the fly likes CSRFGuard and protecting links of pages sent out in emails Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Engineering » Security
Bookmark "CSRFGuard and protecting links of pages sent out in emails" Watch "CSRFGuard and protecting links of pages sent out in emails" New topic
Author

CSRFGuard and protecting links of pages sent out in emails

Prince Manchanda
Ranch Hand

Joined: Jun 25, 2001
Posts: 52
We implemented OWASP's CSRFGuard to protect our pages in the web application. For example */myCsrfProtected.jsp. We have injected CSRF token at all occurrences of */myCsrfProtected.jsp within the application. Everything works fine.

However, we have other use case where the link to this protected page is sent out to users in an email. Think about a link to a report. Now when user clicks on this link, the token is missing or invalid and hence the CSRFGuard filter blocks the request assuming this to be a CSRF attack. (this is what filter has been implemented for :-) )

Is there any way to handle this use case and allow access to CSRF protected page from outside the application.


Thanks and Regards
P Manchanda
Tim McGuire
Ranch Hand

Joined: Apr 30, 2003
Posts: 820

Prince Manchanda wrote:We implemented OWASP's CSRFGuard to protect our pages in the web application. For example */myCsrfProtected.jsp. We have injected CSRF token at all occurrences of */myCsrfProtected.jsp within the application. Everything works fine.

However, we have other use case where the link to this protected page is sent out to users in an email. Think about a link to a report. Now when user clicks on this link, the token is missing or invalid and hence the CSRFGuard filter blocks the request assuming this to be a CSRF attack. (this is what filter has been implemented for :-) )

Is there any way to handle this use case and allow access to CSRF protected page from outside the application.


Hi, this is a great question because it highlights exactly what CSRF is and what CSRF guards should be used for. CSRF is usually defined as a way to trick people into triggering requests that change stuff (like deleting, updating, or creating records) if the request doesn't change data, but is just used to view a page or generate a report, then it probably doesn't need CSRF Guard, right? CSRF is used guarantee with the use of a one-time token that the request was generated from a page within the web application. So, the short answer to your question is no, you don't want to use CSRF Guard on a page that you want accessed via an email link. You should be able to skip CSRF protection for these pages.
Prince Manchanda
Ranch Hand

Joined: Jun 25, 2001
Posts: 52
if the request doesn't change data, but is just used to view a page or generate a report, then it probably doesn't need CSRF Guard, right?

Agreed. This is the theory behind deciding which pages to CSRF protect or not. But unfortunately in our case, there is not a clean separation here. We even have GET requests modifying the server data or a servlet servicing both GET and POST requests.

you don't want to use CSRF Guard on a page that you want accessed via an email link. You should be able to skip CSRF protection for these pages.


The pages we protect for CSRF attacks are flagged by our in-house as well as customer pen tests. So, these have to be protected. Skipping them makes our customers and QA unhappy.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: CSRFGuard and protecting links of pages sent out in emails