aspose file tools*
The moose likes Struts and the fly likes Struts Token to prevent Cross-Site Request Forgery(CSRF) attack Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Frameworks » Struts
Bookmark "Struts Token to prevent Cross-Site Request Forgery(CSRF) attack" Watch "Struts Token to prevent Cross-Site Request Forgery(CSRF) attack" New topic
Author

Struts Token to prevent Cross-Site Request Forgery(CSRF) attack

MayurX Gupta
Greenhorn

Joined: Jan 14, 2013
Posts: 2
Hi All,

I am using struts 1.2 and wants to prevent CSRF attack on my application. I am currently using token implementation but i have an issue here. Since Token can be visible on view source of the page in a hidden format .
But Still if i generate a html page in and get the token hidden value from view source of web page and pass this value using the same URL with which the action is fired, a request get submitted.
How can we avoid it? Is there any way to avoid visibiltiy of the value of token on view source of page.
Jayesh A Lalwani
Bartender

Joined: Jan 17, 2008
Posts: 2372
    
  28

Why do you want to make the CSRF token hidden from the user?
MayurX Gupta
Greenhorn

Joined: Jan 14, 2013
Posts: 2
Because user can easily get the token value and pass it as a html request to the action. This request can easily be submitted as the token value matches.

Consider a scenario:

a jsp is loaded by a function;
http://localhost:--/method=abc

and on submit of jsp a new method is called i.e.http://localhost:--/method=xyz

a token value can be visible by view source of the application.

Now if the user opens the application in new tab i.e he is in the same session and create a html page with form action pointing to submit URL i.e. http://localhost:--/method=xyz
and pass the token value as hidden , a request gets submitted and the same action is done as by the application.
dileep keely
Ranch Hand

Joined: Jun 28, 2010
Posts: 91
If you are worried about the requests made as "GET". Make sure that your jsp page always send the POST request
Do something like this:
if (request.getMethod().equalsIgnoreCase("GET")) {
if ((requestToken != null && !"".equalsIgnoreCase(requestToken.trim()))) {
flag = false;
logger.info("GET------>");
response.sendError(HttpServletResponse.SC_FORBIDDEN, "Bad or missing CSRF value");
} else {
flag = true;
}
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Struts Token to prevent Cross-Site Request Forgery(CSRF) attack