This week's book giveaway is in the Design forum.
We're giving away four copies of Design for the Mind and have Victor S. Yocco on-line!
See this thread for details.
Win a copy of Design for the Mind this week in the Design forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

CSRFGuard and protecting links of pages sent out in emails

 
Prince Manchanda
Ranch Hand
Posts: 52
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
We implemented OWASP's CSRFGuard to protect our pages in the web application. For example */myCsrfProtected.jsp. We have injected CSRF token at all occurrences of */myCsrfProtected.jsp within the application. Everything works fine.

However, we have other use case where the link to this protected page is sent out to users in an email. Think about a link to a report. Now when user clicks on this link, the token is missing or invalid and hence the CSRFGuard filter blocks the request assuming this to be a CSRF attack. (this is what filter has been implemented for :-) )

Is there any way to handle this use case and allow access to CSRF protected page from outside the application.
 
Tim McGuire
Ranch Hand
Posts: 820
IntelliJ IDE Tomcat Server VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Prince Manchanda wrote:We implemented OWASP's CSRFGuard to protect our pages in the web application. For example */myCsrfProtected.jsp. We have injected CSRF token at all occurrences of */myCsrfProtected.jsp within the application. Everything works fine.

However, we have other use case where the link to this protected page is sent out to users in an email. Think about a link to a report. Now when user clicks on this link, the token is missing or invalid and hence the CSRFGuard filter blocks the request assuming this to be a CSRF attack. (this is what filter has been implemented for :-) )

Is there any way to handle this use case and allow access to CSRF protected page from outside the application.


Hi, this is a great question because it highlights exactly what CSRF is and what CSRF guards should be used for. CSRF is usually defined as a way to trick people into triggering requests that change stuff (like deleting, updating, or creating records) if the request doesn't change data, but is just used to view a page or generate a report, then it probably doesn't need CSRF Guard, right? CSRF is used guarantee with the use of a one-time token that the request was generated from a page within the web application. So, the short answer to your question is no, you don't want to use CSRF Guard on a page that you want accessed via an email link. You should be able to skip CSRF protection for these pages.
 
Prince Manchanda
Ranch Hand
Posts: 52
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
if the request doesn't change data, but is just used to view a page or generate a report, then it probably doesn't need CSRF Guard, right?

Agreed. This is the theory behind deciding which pages to CSRF protect or not. But unfortunately in our case, there is not a clean separation here. We even have GET requests modifying the server data or a servlet servicing both GET and POST requests.

you don't want to use CSRF Guard on a page that you want accessed via an email link. You should be able to skip CSRF protection for these pages.


The pages we protect for CSRF attacks are flagged by our in-house as well as customer pen tests. So, these have to be protected. Skipping them makes our customers and QA unhappy.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic