Hi Rajith, "org.owasp.csrfguard.ValidateWhenNoSessionExists" is only relevant to session timeout scenario Hasintha mentioned.
Regarding "/fileupload/resource", please have a look at "Integration Checklist", last item from [1]. Let's have a look at "/carbon/generic" URL separately and see what is wrong. [1] https://docs.google.com/document/d/1LV23-hD7q1BjsruUdvM5dO4j7pIuUpzR_EYLmdfOo6k/edit#heading=h.xqvmgi6xtm6f Best Regards, Ayoma. On Sat, Jul 9, 2016 at 3:05 PM, Rajith Roshan <[email protected]> wrote: > Hi Ayoma, > > We are facing this issue when uploading registry resource and uploading > rxts when session gets expired. We have changed the > "org.owasp.csrfguard.ValidateWhenNoSessionExists" > property to false. But it still gives the following error messages [1],[2]. > After reloading the page then issue does not happens. > > [1] - WARN {org.owasp.csrfguard.log.JavaLogger} - potential cross-site > request forgery (CSRF) attack thwarted (user:<anonymous>, ip:192.168.8.100, > method:POST, uri:/carbon/generic/save_artifact_ajaxprocessor.jsp, > error:request token does not match session token) > [2] - WARN {org.owasp.csrfguard.log.JavaLogger} - potential cross-site > request forgery (CSRF) attack thwarted (user:<anonymous>, ip:192.168.8.100, > method:POST, uri:/fileupload/resource, error:request token does not match > session token) > > > On Fri, Jul 8, 2016 at 8:03 PM, Ayoma Wijethunga <[email protected]> wrote: > >> Hi Team, >> >> We identified that disabling "ValidateWhenNoSessionExists" property >> similar to following can resolve original session-timeout issue raised by >> Hasintha. >> >> org.owasp.csrfguard.ValidateWhenNoSessionExists = false >> >> >> Please add below lines in product "distribution" pom file to correct this >> behavior. This was further updated in [1] and [2] (Integration Checklist). >> >> <!-- Update Owasp.CsrfGuard.properties file >>>> with ValidateWhenNoSessionExists to disable validation on requests made >>>> with no valid session --> >>> >>> <replace >>>> file="target/wso2carbon-core-${carbon.kernel.version}/repository/conf/security/Owasp.CsrfGuard.Carbon.properties" >>>> token="org.owasp.csrfguard.ValidateWhenNoSessionExists = true" >>>> value="org.owasp.csrfguard.ValidateWhenNoSessionExists = false"/> >>> >>> >> [1] >> https://docs.google.com/document/d/1LV23-hD7q1BjsruUdvM5dO4j7pIuUpzR_EYLmdfOo6k/edit >> [2] >> https://docs.google.com/document/d/1A1T-t6IjIaxunjlSyjsGuKSC-x9xl3kilNCTpZVy-EM/edit# >> >> Thank you, >> Ayoma. >> >> On Fri, Jul 8, 2016 at 6:35 PM, Dulanja Liyanage <[email protected]> >> wrote: >> >>> >>> >>> On Thu, Jul 7, 2016 at 4:53 PM, Ayoma Wijethunga <[email protected]> wrote: >>> >>>> Hi All, >>>> >>>> Original issue reported by Hasintha is relevant to how we handle >>>> session timeout conditions with CSRFGuard filter. We are working on this >>>> and will update with a resolution. >>>> >>> >>> The reason for this behavior is there's no session-existence check prior >>> to the form POST. Before CSRFGuard this was not a problem, because, upon a >>> failure due to session timeout one of the following would have happened: >>> >>> 1. in the case of an ajaxprocessor - Request would be propagated to >>> the respective admin service, and upon its session non-existence >>> exception, >>> will be redirected to the login page. >>> 2. in the case of a non-ajaxprocessor - CarbonSecuredHttpContext >>> will redirect to the login page before hitting the actual jsp/servlet. >>> >>> Since CSRFGuard is a filter, it intercepts before either of the above >>> happen and sends a 403 forbidden - because that's what it's supposed to do. >>> >>> There's a platform level javascript function called sessionAwareFunction >>> (in main.js) that can be used for this. Registry Browser uses that. We have >>> to send the actual operation we want to do as a callback function to >>> sessionAwareFunction. It will initially do a session validity check >>> via /carbon/admin/jsp/session-validate.jsp and then execute what we want to >>> do. >>> >>> We tried to come up with a centralized solution for this, but failed. >>> Therefore, this need to be fixed at product-level. >>> >>> Please let us know if you see a better solution for this. >>> >>> >>>> In general CSRFGuard should work without any per-page modifications, >>>> since we are using JavaScript based attribute injection and header based >>>> protection for AJAX requests. However, there might be special cases in >>>> which these methodologies fail. Such incidences should be handled >>>> case-by-case and we will be adding all the special cases we identified in >>>> to the "Integration Checklist" of [1]. >>>> >>>> We had a short offline session with Shavantha on the issue he is facing >>>> and identified that there are methods that use " >>>> *document.createElement('form')*" JavaScript call to build forms >>>> dynamically. Since CSRFGuard JavaScript will not be able to identify such >>>> forms, it is necessary to add CSRF token manually. Please see the >>>> screenshot attached which is the page source of [2]. In such situations it >>>> is required to use JSP Taglib to add CSRF token as an additional parameter. >>>> Please follow [1] for additional details. >>>> >>>> We can of cause arrange quick sessions with teams to check on any >>>> edge-case issues they are facing, relevant to CSRFGuard. >>>> >>>> [1] >>>> https://docs.google.com/document/d/1LV23-hD7q1BjsruUdvM5dO4j7pIuUpzR_EYLmdfOo6k/edit#heading=h.xqvmgi6xtm6f >>>> [2] >>>> https://localhost:9443/t/tenant.com/carbon/user/edit-user-roles.jsp?username=ADDOMAIN%2FAdministrator699&displayName=ADDOMAIN%2FAdministrator699 >>>> >>>> Best Regards, >>>> Ayoma. >>>> >>>> On Thu, Jul 7, 2016 at 11:35 AM, Shavantha Weerasinghe < >>>> [email protected]> wrote: >>>> >>>>> [+Dulanjan] >>>>> >>>>> Hi All >>>>> >>>>> When trying to add multiple roles to a user using a feature such as >>>>> *Select >>>>> all from page 1 to page 3* or clicking on a pagination number the >>>>> same error comes and throws an error similar to[1] >>>>> >>>>> [1] >>>>> [2016-07-07 11:34:37,139] WARN - JavaLogger potential cross-site >>>>> request forgery (CSRF) attack thwarted (user:<anonymous>, ip:127.0.0.1, >>>>> method:POST, uri:/t/tenant.com/carbon/user/view-roles.jsp, >>>>> error:required token is missing from the request) >>>>> >>>>> >>>>> Regards, >>>>> Shavantha Weerasinghe >>>>> Senior Software Engineer QA >>>>> WSO2, Inc. >>>>> lean.enterprise.middleware. >>>>> http://wso2.com >>>>> http://wso2.org >>>>> Tel : 94 11 214 5345 >>>>> Fax :94 11 2145300 >>>>> >>>>> >>>>> On Wed, Jul 6, 2016 at 4:10 PM, Hasintha Indrajee <[email protected]> >>>>> wrote: >>>>> >>>>>> Hi all, >>>>>> >>>>>> When trying to perform operations through admin console, once the >>>>>> session is expired we are getting a 403 from admin console. Seems like >>>>>> this >>>>>> occurs due to CSRF filter blocking the request since the session is no >>>>>> longer available at the server side. >>>>>> >>>>>> [2016-07-06 15:34:27,576] WARN {org.owasp.csrfguard.log.JavaLogger} >>>>>> - potential cross-site request forgery (CSRF) attack thwarted >>>>>> (user:<anonymous>, ip:127.0.0.1, method:POST, >>>>>> uri:/carbon/userprofile/set-finish-ajaxprocessor.jsp, error:request token >>>>>> does not match session token) >>>>>> -- >>>>>> Hasintha Indrajee >>>>>> WSO2, Inc. >>>>>> Mobile:+94 771892453 >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> Dev mailing list >>>>>> [email protected] >>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>>>> >>>>>> >>>>> >>>> >>>> >>>> -- >>>> Ayoma Wijethunga >>>> Software Engineer >>>> Platform Security Team >>>> WSO2, Inc.; http://wso2.com >>>> lean.enterprise.middleware >>>> >>>> Mobile : +94 (0) 719428123 <+94+(0)+719428123> >>>> Blog : http://www.ayomaonline.com >>>> LinkedIn: https://www.linkedin.com/in/ayoma >>>> >>> >>> >>> >>> -- >>> Thanks & Regards, >>> Dulanja Liyanage >>> Lead, Platform Security Team >>> WSO2 Inc. >>> >> >> >> >> -- >> Ayoma Wijethunga >> Software Engineer >> Platform Security Team >> WSO2, Inc.; http://wso2.com >> lean.enterprise.middleware >> >> Mobile : +94 (0) 719428123 <+94+(0)+719428123> >> Blog : http://www.ayomaonline.com >> LinkedIn: https://www.linkedin.com/in/ayoma >> >> _______________________________________________ >> Dev mailing list >> [email protected] >> http://wso2.org/cgi-bin/mailman/listinfo/dev >> >> > > > -- > Rajith Roshan > Software Engineer, WSO2 Inc. > Mobile: +94-72-642-8350 <%2B94-71-554-8430> > -- Ayoma Wijethunga Software Engineer Platform Security Team WSO2, Inc.; http://wso2.com lean.enterprise.middleware Mobile : +94 (0) 719428123 <+94+(0)+719428123> Blog : http://www.ayomaonline.com LinkedIn: https://www.linkedin.com/in/ayoma
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
