Hi Ayoma,
We are facing this issue when uploading registry resource and uploading
rxts when session gets expired. We have changed the
"org.owasp.csrfguard.ValidateWhenNoSessionExists"
property to false. But it still gives the following error messages [1],[2].
After reloading the page then issue does not happens.
[1] - WARN {org.owasp.csrfguard.log.JavaLogger} - potential cross-site
request forgery (CSRF) attack thwarted (user:<anonymous>, ip:192.168.8.100,
method:POST, uri:/carbon/generic/save_artifact_ajaxprocessor.jsp,
error:request token does not match session token)
[2] - WARN {org.owasp.csrfguard.log.JavaLogger} - potential cross-site
request forgery (CSRF) attack thwarted (user:<anonymous>, ip:192.168.8.100,
method:POST, uri:/fileupload/resource, error:request token does not match
session token)
On Fri, Jul 8, 2016 at 8:03 PM, Ayoma Wijethunga <[email protected]> wrote:
> Hi Team,
>
> We identified that disabling "ValidateWhenNoSessionExists" property
> similar to following can resolve original session-timeout issue raised by
> Hasintha.
>
> org.owasp.csrfguard.ValidateWhenNoSessionExists = false
>
>
> Please add below lines in product "distribution" pom file to correct this
> behavior. This was further updated in [1] and [2] (Integration Checklist).
>
> <!-- Update Owasp.CsrfGuard.properties file
>>> with ValidateWhenNoSessionExists to disable validation on requests made
>>> with no valid session -->
>>
>> <replace
>>> file="target/wso2carbon-core-${carbon.kernel.version}/repository/conf/security/Owasp.CsrfGuard.Carbon.properties"
>>> token="org.owasp.csrfguard.ValidateWhenNoSessionExists = true"
>>> value="org.owasp.csrfguard.ValidateWhenNoSessionExists = false"/>
>>
>>
> [1]
> https://docs.google.com/document/d/1LV23-hD7q1BjsruUdvM5dO4j7pIuUpzR_EYLmdfOo6k/edit
> [2]
> https://docs.google.com/document/d/1A1T-t6IjIaxunjlSyjsGuKSC-x9xl3kilNCTpZVy-EM/edit#
>
> Thank you,
> Ayoma.
>
> On Fri, Jul 8, 2016 at 6:35 PM, Dulanja Liyanage <[email protected]> wrote:
>
>>
>>
>> On Thu, Jul 7, 2016 at 4:53 PM, Ayoma Wijethunga <[email protected]> wrote:
>>
>>> Hi All,
>>>
>>> Original issue reported by Hasintha is relevant to how we handle session
>>> timeout conditions with CSRFGuard filter. We are working on this and will
>>> update with a resolution.
>>>
>>
>> The reason for this behavior is there's no session-existence check prior
>> to the form POST. Before CSRFGuard this was not a problem, because, upon a
>> failure due to session timeout one of the following would have happened:
>>
>> 1. in the case of an ajaxprocessor - Request would be propagated to
>> the respective admin service, and upon its session non-existence
>> exception,
>> will be redirected to the login page.
>> 2. in the case of a non-ajaxprocessor - CarbonSecuredHttpContext will
>> redirect to the login page before hitting the actual jsp/servlet.
>>
>> Since CSRFGuard is a filter, it intercepts before either of the above
>> happen and sends a 403 forbidden - because that's what it's supposed to do.
>>
>> There's a platform level javascript function called sessionAwareFunction
>> (in main.js) that can be used for this. Registry Browser uses that. We have
>> to send the actual operation we want to do as a callback function to
>> sessionAwareFunction. It will initially do a session validity check
>> via /carbon/admin/jsp/session-validate.jsp and then execute what we want to
>> do.
>>
>> We tried to come up with a centralized solution for this, but failed.
>> Therefore, this need to be fixed at product-level.
>>
>> Please let us know if you see a better solution for this.
>>
>>
>>> In general CSRFGuard should work without any per-page modifications,
>>> since we are using JavaScript based attribute injection and header based
>>> protection for AJAX requests. However, there might be special cases in
>>> which these methodologies fail. Such incidences should be handled
>>> case-by-case and we will be adding all the special cases we identified in
>>> to the "Integration Checklist" of [1].
>>>
>>> We had a short offline session with Shavantha on the issue he is facing
>>> and identified that there are methods that use "
>>> *document.createElement('form')*" JavaScript call to build forms
>>> dynamically. Since CSRFGuard JavaScript will not be able to identify such
>>> forms, it is necessary to add CSRF token manually. Please see the
>>> screenshot attached which is the page source of [2]. In such situations it
>>> is required to use JSP Taglib to add CSRF token as an additional parameter.
>>> Please follow [1] for additional details.
>>>
>>> We can of cause arrange quick sessions with teams to check on any
>>> edge-case issues they are facing, relevant to CSRFGuard.
>>>
>>> [1]
>>> https://docs.google.com/document/d/1LV23-hD7q1BjsruUdvM5dO4j7pIuUpzR_EYLmdfOo6k/edit#heading=h.xqvmgi6xtm6f
>>> [2]
>>> https://localhost:9443/t/tenant.com/carbon/user/edit-user-roles.jsp?username=ADDOMAIN%2FAdministrator699&displayName=ADDOMAIN%2FAdministrator699
>>>
>>> Best Regards,
>>> Ayoma.
>>>
>>> On Thu, Jul 7, 2016 at 11:35 AM, Shavantha Weerasinghe <
>>> [email protected]> wrote:
>>>
>>>> [+Dulanjan]
>>>>
>>>> Hi All
>>>>
>>>> When trying to add multiple roles to a user using a feature such as *Select
>>>> all from page 1 to page 3* or clicking on a pagination number the same
>>>> error comes and throws an error similar to[1]
>>>>
>>>> [1]
>>>> [2016-07-07 11:34:37,139] WARN - JavaLogger potential cross-site
>>>> request forgery (CSRF) attack thwarted (user:<anonymous>, ip:127.0.0.1,
>>>> method:POST, uri:/t/tenant.com/carbon/user/view-roles.jsp,
>>>> error:required token is missing from the request)
>>>>
>>>>
>>>> Regards,
>>>> Shavantha Weerasinghe
>>>> Senior Software Engineer QA
>>>> WSO2, Inc.
>>>> lean.enterprise.middleware.
>>>> http://wso2.com
>>>> http://wso2.org
>>>> Tel : 94 11 214 5345
>>>> Fax :94 11 2145300
>>>>
>>>>
>>>> On Wed, Jul 6, 2016 at 4:10 PM, Hasintha Indrajee <[email protected]>
>>>> wrote:
>>>>
>>>>> Hi all,
>>>>>
>>>>> When trying to perform operations through admin console, once the
>>>>> session is expired we are getting a 403 from admin console. Seems like
>>>>> this
>>>>> occurs due to CSRF filter blocking the request since the session is no
>>>>> longer available at the server side.
>>>>>
>>>>> [2016-07-06 15:34:27,576] WARN {org.owasp.csrfguard.log.JavaLogger}
>>>>> - potential cross-site request forgery (CSRF) attack thwarted
>>>>> (user:<anonymous>, ip:127.0.0.1, method:POST,
>>>>> uri:/carbon/userprofile/set-finish-ajaxprocessor.jsp, error:request token
>>>>> does not match session token)
>>>>> --
>>>>> Hasintha Indrajee
>>>>> WSO2, Inc.
>>>>> Mobile:+94 771892453
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Dev mailing list
>>>>> [email protected]
>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>>>>
>>>>>
>>>>
>>>
>>>
>>> --
>>> Ayoma Wijethunga
>>> Software Engineer
>>> Platform Security Team
>>> WSO2, Inc.; http://wso2.com
>>> lean.enterprise.middleware
>>>
>>> Mobile : +94 (0) 719428123 <+94+(0)+719428123>
>>> Blog : http://www.ayomaonline.com
>>> LinkedIn: https://www.linkedin.com/in/ayoma
>>>
>>
>>
>>
>> --
>> Thanks & Regards,
>> Dulanja Liyanage
>> Lead, Platform Security Team
>> WSO2 Inc.
>>
>
>
>
> --
> Ayoma Wijethunga
> Software Engineer
> Platform Security Team
> WSO2, Inc.; http://wso2.com
> lean.enterprise.middleware
>
> Mobile : +94 (0) 719428123 <+94+(0)+719428123>
> Blog : http://www.ayomaonline.com
> LinkedIn: https://www.linkedin.com/in/ayoma
>
> _______________________________________________
> Dev mailing list
> [email protected]
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>
>
--
Rajith Roshan
Software Engineer, WSO2 Inc.
Mobile: +94-72-642-8350 <%2B94-71-554-8430>
_______________________________________________
Dev mailing list
[email protected]
http://wso2.org/cgi-bin/mailman/listinfo/dev
