Hi Pubudu This is only the pattern coming from kernel itself. Product level exclusions are not there in the property file. Please check with product team on this.
Best Regards, Ayoma On Fri, Jul 8, 2016 at 5:59 PM, Pubudu Priyashan <[email protected]> wrote: > Hi Ayoma, > > I had a look at " > repository/conf/security/Owasp.CsrfGuard.Carbon.properties" file and I > can see the property [1] included in it. Can you please confirm that this > is as expected? Thanks! > > [1] org.owasp.csrfguard.unprotected.Services=%servletContext%/services/* > > Cheers, > Pubudu. > > Pubudu D.P > Senior Software Engineer - QA Team | WSO2 inc. > Mobile : +94775464547 > > Linkedin: https://uk.linkedin.com/in/pubududp > Medium: https://medium.com/@pubududp > > > On Fri, Jul 8, 2016 at 5:50 PM, Ayoma Wijethunga <[email protected]> wrote: > >> Hi Pubudu / Senduran, >> >> This is not the exact same. "/carbon/proxyservices/" is one of EBS CSRF >> exclusion patterns (referring to previous filter configuration [1]). >> >> As discussed with Senduran over the call we had, this pattern needs to be >> added to OWASP CSRFGuard as a unprotected URL pattern ([2] section 6). >> >> Was the test performed on a pack with this configuration change? If so, >> lets have a quick remote session to check this out. >> >> [1] >> https://docs.google.com/document/d/16qTgkhOrhgH48ttnIuqEDG531cS1ouMLwqu1CtyfXLI/edit >> >> [2] >> https://docs.google.com/document/d/1A1T-t6IjIaxunjlSyjsGuKSC-x9xl3kilNCTpZVy-EM/edit# >> >> Thank you, >> Ayoma. >> >> On Fri, Jul 8, 2016 at 5:29 PM, Pubudu Priyashan <[email protected]> >> wrote: >> >>> [+Senduran] >>> >>> We have found the same issue [1] in ESB wso2esb-5.0.0-pre-RC2.zip pack. >>> >>> [1] https://wso2.org/jira/browse/ESBJAVA-4741 >>> >>> Pubudu D.P >>> Senior Software Engineer - QA Team | WSO2 inc. >>> Mobile : +94775464547 >>> >>> Linkedin: https://uk.linkedin.com/in/pubududp >>> Medium: https://medium.com/@pubududp >>> >>> >>> On Thu, Jul 7, 2016 at 4:53 PM, Ayoma Wijethunga <[email protected]> wrote: >>> >>>> Hi All, >>>> >>>> Original issue reported by Hasintha is relevant to how we handle >>>> session timeout conditions with CSRFGuard filter. We are working on this >>>> and will update with a resolution. >>>> >>>> In general CSRFGuard should work without any per-page modifications, >>>> since we are using JavaScript based attribute injection and header based >>>> protection for AJAX requests. However, there might be special cases in >>>> which these methodologies fail. Such incidences should be handled >>>> case-by-case and we will be adding all the special cases we identified in >>>> to the "Integration Checklist" of [1]. >>>> >>>> We had a short offline session with Shavantha on the issue he is facing >>>> and identified that there are methods that use " >>>> *document.createElement('form')*" JavaScript call to build forms >>>> dynamically. Since CSRFGuard JavaScript will not be able to identify such >>>> forms, it is necessary to add CSRF token manually. Please see the >>>> screenshot attached which is the page source of [2]. In such situations it >>>> is required to use JSP Taglib to add CSRF token as an additional parameter. >>>> Please follow [1] for additional details. >>>> >>>> We can of cause arrange quick sessions with teams to check on any >>>> edge-case issues they are facing, relevant to CSRFGuard. >>>> >>>> [1] >>>> https://docs.google.com/document/d/1LV23-hD7q1BjsruUdvM5dO4j7pIuUpzR_EYLmdfOo6k/edit#heading=h.xqvmgi6xtm6f >>>> [2] >>>> https://localhost:9443/t/tenant.com/carbon/user/edit-user-roles.jsp?username=ADDOMAIN%2FAdministrator699&displayName=ADDOMAIN%2FAdministrator699 >>>> >>>> Best Regards, >>>> Ayoma. >>>> >>>> On Thu, Jul 7, 2016 at 11:35 AM, Shavantha Weerasinghe < >>>> [email protected]> wrote: >>>> >>>>> [+Dulanjan] >>>>> >>>>> Hi All >>>>> >>>>> When trying to add multiple roles to a user using a feature such as >>>>> *Select >>>>> all from page 1 to page 3* or clicking on a pagination number the >>>>> same error comes and throws an error similar to[1] >>>>> >>>>> [1] >>>>> [2016-07-07 11:34:37,139] WARN - JavaLogger potential cross-site >>>>> request forgery (CSRF) attack thwarted (user:<anonymous>, ip:127.0.0.1, >>>>> method:POST, uri:/t/tenant.com/carbon/user/view-roles.jsp, >>>>> error:required token is missing from the request) >>>>> >>>>> >>>>> Regards, >>>>> Shavantha Weerasinghe >>>>> Senior Software Engineer QA >>>>> WSO2, Inc. >>>>> lean.enterprise.middleware. >>>>> http://wso2.com >>>>> http://wso2.org >>>>> Tel : 94 11 214 5345 >>>>> Fax :94 11 2145300 >>>>> >>>>> >>>>> On Wed, Jul 6, 2016 at 4:10 PM, Hasintha Indrajee <[email protected]> >>>>> wrote: >>>>> >>>>>> Hi all, >>>>>> >>>>>> When trying to perform operations through admin console, once the >>>>>> session is expired we are getting a 403 from admin console. Seems like >>>>>> this >>>>>> occurs due to CSRF filter blocking the request since the session is no >>>>>> longer available at the server side. >>>>>> >>>>>> [2016-07-06 15:34:27,576] WARN {org.owasp.csrfguard.log.JavaLogger} >>>>>> - potential cross-site request forgery (CSRF) attack thwarted >>>>>> (user:<anonymous>, ip:127.0.0.1, method:POST, >>>>>> uri:/carbon/userprofile/set-finish-ajaxprocessor.jsp, error:request token >>>>>> does not match session token) >>>>>> -- >>>>>> Hasintha Indrajee >>>>>> WSO2, Inc. >>>>>> Mobile:+94 771892453 >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> Dev mailing list >>>>>> [email protected] >>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>>>> >>>>>> >>>>> >>>> >>>> >>>> -- >>>> Ayoma Wijethunga >>>> Software Engineer >>>> Platform Security Team >>>> WSO2, Inc.; http://wso2.com >>>> lean.enterprise.middleware >>>> >>>> Mobile : +94 (0) 719428123 <+94+(0)+719428123> >>>> Blog : http://www.ayomaonline.com >>>> LinkedIn: https://www.linkedin.com/in/ayoma >>>> >>>> _______________________________________________ >>>> Dev mailing list >>>> [email protected] >>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>> >>>> >>> >> >> >> -- >> Ayoma Wijethunga >> Software Engineer >> Platform Security Team >> WSO2, Inc.; http://wso2.com >> lean.enterprise.middleware >> >> Mobile : +94 (0) 719428123 <+94+(0)+719428123> >> Blog : http://www.ayomaonline.com >> LinkedIn: https://www.linkedin.com/in/ayoma >> > > -- Ayoma Wijethunga Software Engineer Platform Security Team WSO2, Inc.; http://wso2.com lean.enterprise.middleware Mobile : +94 (0) 719428123 <+94+(0)+719428123> Blog : http://www.ayomaonline.com LinkedIn: https://www.linkedin.com/in/ayoma
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
