[+Senduran] We have found the same issue [1] in ESB wso2esb-5.0.0-pre-RC2.zip pack.
[1] https://wso2.org/jira/browse/ESBJAVA-4741 Pubudu D.P Senior Software Engineer - QA Team | WSO2 inc. Mobile : +94775464547 Linkedin: https://uk.linkedin.com/in/pubududp Medium: https://medium.com/@pubududp On Thu, Jul 7, 2016 at 4:53 PM, Ayoma Wijethunga <[email protected]> wrote: > Hi All, > > Original issue reported by Hasintha is relevant to how we handle session > timeout conditions with CSRFGuard filter. We are working on this and will > update with a resolution. > > In general CSRFGuard should work without any per-page modifications, since > we are using JavaScript based attribute injection and header based > protection for AJAX requests. However, there might be special cases in > which these methodologies fail. Such incidences should be handled > case-by-case and we will be adding all the special cases we identified in > to the "Integration Checklist" of [1]. > > We had a short offline session with Shavantha on the issue he is facing > and identified that there are methods that use " > *document.createElement('form')*" JavaScript call to build forms > dynamically. Since CSRFGuard JavaScript will not be able to identify such > forms, it is necessary to add CSRF token manually. Please see the > screenshot attached which is the page source of [2]. In such situations it > is required to use JSP Taglib to add CSRF token as an additional parameter. > Please follow [1] for additional details. > > We can of cause arrange quick sessions with teams to check on any > edge-case issues they are facing, relevant to CSRFGuard. > > [1] > https://docs.google.com/document/d/1LV23-hD7q1BjsruUdvM5dO4j7pIuUpzR_EYLmdfOo6k/edit#heading=h.xqvmgi6xtm6f > [2] > https://localhost:9443/t/tenant.com/carbon/user/edit-user-roles.jsp?username=ADDOMAIN%2FAdministrator699&displayName=ADDOMAIN%2FAdministrator699 > > Best Regards, > Ayoma. > > On Thu, Jul 7, 2016 at 11:35 AM, Shavantha Weerasinghe <[email protected] > > wrote: > >> [+Dulanjan] >> >> Hi All >> >> When trying to add multiple roles to a user using a feature such as *Select >> all from page 1 to page 3* or clicking on a pagination number the same >> error comes and throws an error similar to[1] >> >> [1] >> [2016-07-07 11:34:37,139] WARN - JavaLogger potential cross-site request >> forgery (CSRF) attack thwarted (user:<anonymous>, ip:127.0.0.1, >> method:POST, uri:/t/tenant.com/carbon/user/view-roles.jsp, >> error:required token is missing from the request) >> >> >> Regards, >> Shavantha Weerasinghe >> Senior Software Engineer QA >> WSO2, Inc. >> lean.enterprise.middleware. >> http://wso2.com >> http://wso2.org >> Tel : 94 11 214 5345 >> Fax :94 11 2145300 >> >> >> On Wed, Jul 6, 2016 at 4:10 PM, Hasintha Indrajee <[email protected]> >> wrote: >> >>> Hi all, >>> >>> When trying to perform operations through admin console, once the >>> session is expired we are getting a 403 from admin console. Seems like this >>> occurs due to CSRF filter blocking the request since the session is no >>> longer available at the server side. >>> >>> [2016-07-06 15:34:27,576] WARN {org.owasp.csrfguard.log.JavaLogger} - >>> potential cross-site request forgery (CSRF) attack thwarted >>> (user:<anonymous>, ip:127.0.0.1, method:POST, >>> uri:/carbon/userprofile/set-finish-ajaxprocessor.jsp, error:request token >>> does not match session token) >>> -- >>> Hasintha Indrajee >>> WSO2, Inc. >>> Mobile:+94 771892453 >>> >>> >>> _______________________________________________ >>> Dev mailing list >>> [email protected] >>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>> >>> >> > > > -- > Ayoma Wijethunga > Software Engineer > Platform Security Team > WSO2, Inc.; http://wso2.com > lean.enterprise.middleware > > Mobile : +94 (0) 719428123 <+94+(0)+719428123> > Blog : http://www.ayomaonline.com > LinkedIn: https://www.linkedin.com/in/ayoma > > _______________________________________________ > Dev mailing list > [email protected] > http://wso2.org/cgi-bin/mailman/listinfo/dev > >
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
