• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Struts Token to prevent Cross-Site Request Forgery(CSRF) attack

 
MayurX Gupta
Greenhorn
Posts: 2
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi All,

I am using struts 1.2 and wants to prevent CSRF attack on my application. I am currently using token implementation but i have an issue here. Since Token can be visible on view source of the page in a hidden format .
But Still if i generate a html page in and get the token hidden value from view source of web page and pass this value using the same URL with which the action is fired, a request get submitted.
How can we avoid it? Is there any way to avoid visibiltiy of the value of token on view source of page.
 
Jayesh A Lalwani
Rancher
Posts: 2756
32
Eclipse IDE Spring Tomcat Server
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Why do you want to make the CSRF token hidden from the user?
 
MayurX Gupta
Greenhorn
Posts: 2
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Because user can easily get the token value and pass it as a html request to the action. This request can easily be submitted as the token value matches.

Consider a scenario:

a jsp is loaded by a function;
http://localhost:--/method=abc

and on submit of jsp a new method is called i.e.http://localhost:--/method=xyz

a token value can be visible by view source of the application.

Now if the user opens the application in new tab i.e he is in the same session and create a html page with form action pointing to submit URL i.e. http://localhost:--/method=xyz
and pass the token value as hidden , a request gets submitted and the same action is done as by the application.
 
dileep keely
Ranch Hand
Posts: 108
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
If you are worried about the requests made as "GET". Make sure that your jsp page always send the POST request
Do something like this:
if (request.getMethod().equalsIgnoreCase("GET")) {
if ((requestToken != null && !"".equalsIgnoreCase(requestToken.trim()))) {
flag = false;
logger.info("GET------>");
response.sendError(HttpServletResponse.SC_FORBIDDEN, "Bad or missing CSRF value");
} else {
flag = true;
}
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic