Win a copy of Microservices Testing (Live Project) this week in the Spring forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Tim Cooke
  • Ron McLeod
  • Jeanne Boyarsky
  • Paul Clapham
Sheriffs:
  • Liutauras Vilda
  • Henry Wong
  • Devaka Cooray
Saloon Keepers:
  • Tim Moores
  • Stephan van Hulst
  • Tim Holloway
  • Al Hobbs
  • Carey Brown
Bartenders:
  • Piet Souris
  • Mikalai Zaikin
  • Himai Minh

CSRFGuard and protecting links of pages sent out in emails

 
Ranch Hand
Posts: 52
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
We implemented OWASP's CSRFGuard to protect our pages in the web application. For example */myCsrfProtected.jsp. We have injected CSRF token at all occurrences of */myCsrfProtected.jsp within the application. Everything works fine.

However, we have other use case where the link to this protected page is sent out to users in an email. Think about a link to a report. Now when user clicks on this link, the token is missing or invalid and hence the CSRFGuard filter blocks the request assuming this to be a CSRF attack. (this is what filter has been implemented for :-) )

Is there any way to handle this use case and allow access to CSRF protected page from outside the application.
 
Ranch Hand
Posts: 820
IntelliJ IDE VI Editor Tomcat Server
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Prince Manchanda wrote:We implemented OWASP's CSRFGuard to protect our pages in the web application. For example */myCsrfProtected.jsp. We have injected CSRF token at all occurrences of */myCsrfProtected.jsp within the application. Everything works fine.

However, we have other use case where the link to this protected page is sent out to users in an email. Think about a link to a report. Now when user clicks on this link, the token is missing or invalid and hence the CSRFGuard filter blocks the request assuming this to be a CSRF attack. (this is what filter has been implemented for :-) )

Is there any way to handle this use case and allow access to CSRF protected page from outside the application.



Hi, this is a great question because it highlights exactly what CSRF is and what CSRF guards should be used for. CSRF is usually defined as a way to trick people into triggering requests that change stuff (like deleting, updating, or creating records) if the request doesn't change data, but is just used to view a page or generate a report, then it probably doesn't need CSRF Guard, right? CSRF is used guarantee with the use of a one-time token that the request was generated from a page within the web application. So, the short answer to your question is no, you don't want to use CSRF Guard on a page that you want accessed via an email link. You should be able to skip CSRF protection for these pages.
 
Prince Manchanda
Ranch Hand
Posts: 52
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

if the request doesn't change data, but is just used to view a page or generate a report, then it probably doesn't need CSRF Guard, right?


Agreed. This is the theory behind deciding which pages to CSRF protect or not. But unfortunately in our case, there is not a clean separation here. We even have GET requests modifying the server data or a servlet servicing both GET and POST requests.

you don't want to use CSRF Guard on a page that you want accessed via an email link. You should be able to skip CSRF protection for these pages.



The pages we protect for CSRF attacks are flagged by our in-house as well as customer pen tests. So, these have to be protected. Skipping them makes our customers and QA unhappy.
reply
    Bookmark Topic Watch Topic
  • New Topic