Produced by Araxis Merge on 10/31/2017 10:05:16 AM Central Daylight Time. See www.araxis.com for information about Merge. This report uses XHTML and CSS2, and is best viewed with a modern standards-compliant browser. For optimum results when printing this report, use landscape orientation and enable printing of background images and colours in your browser.
| # | Location | File | Last Modified |
|---|---|---|---|
| 1 | esr.zip\esr\APP-INF\classes | csrfguard.properties | Tue Oct 3 17:08:04 2017 UTC |
| 2 | esr.zip\esr\APP-INF\classes | csrfguard.properties | Tue Oct 31 14:08:29 2017 UTC |
| Description | Between Files 1 and 2 |
|
|---|---|---|
| Text Blocks | Lines | |
| Unchanged | 2 | 866 |
| Changed | 1 | 2 |
| Inserted | 0 | 0 |
| Removed | 0 | 0 |
| Whitespace | |
|---|---|
| Character case | Differences in character case are significant |
| Line endings | Differences in line endings (CR and LF characters) are ignored |
| CR/LF characters | Not shown in the comparison detail |
No regular expressions were active.
| 1 | # The OWAS P CSRFGuar d Project, BSD Licen se | |
| 2 | # Eric She ridan (eri c@infrared security.c om), Copyr ight (c) 2 011 | |
| 3 | # All righ ts reserve d. | |
| 4 | # | |
| 5 | # Redistri bution and use in so urce and b inary form s, with or without | |
| 6 | # modifica tion, are permitted provided t hat the fo llowing co nditions a re met: | |
| 7 | # | |
| 8 | # 1. Redis tributions of source code must retain th e above co pyright no tice, | |
| 9 | # this list of co nditions a nd the fol lowing dis claimer. | |
| 10 | # 2. Redis tributions in binary form must reproduce the above copyright | |
| 11 | # notic e, this li st of cond itions and the follo wing discl aimer in t he | |
| 12 | # docum entation a nd/or othe r material s provided with the distributi on. | |
| 13 | # 3. Neith er the nam e of OWASP nor the n ames of it s contribu tors may b e used | |
| 14 | # to en dorse or p romote pro ducts deri ved from t his softwa re without specific | |
| 15 | # prior written p ermission. | |
| 16 | # | |
| 17 | # THIS SOF TWARE IS P ROVIDED BY THE COPYR IGHT HOLDE RS AND CON TRIBUTORS "AS IS" | |
| 18 | # AND ANY EXPRESS OR IMPLIED W ARRANTIES, INCLUDING , BUT NOT LIMITED TO , THE | |
| 19 | # IMPLIED WARRANTIES OF MERCHA NTABILITY AND FITNES S FOR A PA RTICULAR P URPOSE | |
| 20 | # ARE DISC LAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTO RS BE LIAB LE | |
| 21 | # FOR ANY DIRECT, IN DIRECT, IN CIDENTAL, SPECIAL, E XEMPLARY, OR CONSEQU ENTIAL DAM AGES | |
| 22 | # (INCLUDI NG, BUT NO T LIMITED TO, PROCUR EMENT OF S UBSTITUTE GOODS OR S ERVICES; | |
| 23 | # LOSS OF USE, DATA, OR PROFIT S; OR BUSI NESS INTER RUPTION) H OWEVER CAU SED AND ON | |
| 24 | # ANY THEO RY OF LIAB ILITY, WHE THER IN CO NTRACT, ST RICT LIABI LITY, OR T ORT | |
| 25 | # (INCLUDI NG NEGLIGE NCE OR OTH ERWISE) AR ISING IN A NY WAY OUT OF THE US E OF THIS | |
| 26 | # SOFTWARE , EVEN IF ADVISED OF THE POSSI BILITY OF SUCH DAMAG E. | |
| 27 | ||
| 28 | # From: ht tps://gith ub.com/esh eri3/OWASP -CSRFGuard /blob/mast er/csrfgua rd-test/sr c/main/web app/WEB-IN F/csrfguar d.properti es | |
| 29 | ||
| 30 | # Common s ubstitutio ns | |
| 31 | # %servlet Context% is the ser vlet conte xt (e.g. t he configu red app pr efix or wa r file nam e, or blan k. | |
| 32 | # e.g. if you deploy a default warfile a s someApp. war, then %servletCo ntext% wil l be /some App | |
| 33 | # if there isnt a co ntext it w ill be the empty str ing. So t o use this in the co nfiguratio n, use e.g . %servlet Context%/s omething.h tml | |
| 34 | # which wi ll transla te to e.g. /someApp/ something. html | |
| 35 | ||
| 36 | # Logger | |
| 37 | # | |
| 38 | # The logg er propert y (org.owa sp.csrfgua rd.Logger) defines t he qualifi ed class n ame of | |
| 39 | # the obje ct respons ible for p rocessing all log me ssages pro duced by C SRFGuard. The defaul t | |
| 40 | # CSRFGuar d logger i s org.owas p.csrfguar d.log.Cons oleLogger. This clas s logs all messages | |
| 41 | # to Syste m.out whic h JavaEE a pplication servers r edirect to a vendor specific l og file. | |
| 42 | # Develope rs can cus tomize the logging b ehavior of CSRFGuard by implem enting the | |
| 43 | # org.owas p.csrfguar d.log.ILog ger interf ace and se tting the logger pro perty to t he new | |
| 44 | # logger's qualified class nam e. The fol lowing con figuration snippet i nstructs O WASP CSRFG uard | |
| 45 | # to captu re all log messages to the con sole: | |
| 46 | # | |
| 47 | org.owasp. csrfguard. Logger=org .owasp.csr fguard.log .ConsoleLo gger | |
| 48 | #org.owasp .csrfguard .Logger=or g.owasp.cs rfguard.lo g.JavaLogg er | |
| 49 | ||
| 50 | # Which co nfiguratio n provider factory y ou want to use. The default i s org.owas p.csrfguar d.config.P ropertiesC onfigurati onProvider Factory | |
| 51 | # Another configurat ion provid er has mor e features including config ov erlays: or g.owasp.cs rfguard.co nfig.overl ay.Configu rationOver layProvide rFactory | |
| 52 | # The defa ult config uration pr ovider is: org.owasp .csrfguard .config.ov erlay.Conf igurationA utodetectP roviderFac tory | |
| 53 | # which wi ll look fo r an overl ay file, i t is there , and the factory in side that file is se t it will use it, ot herwise wi ll be Prop ertiesConf igurationP roviderFac tory | |
| 54 | # it needs to implem ent org.ow asp.csrfgu ard.config .Configura tionProvid erFactory | |
| 55 | org.owasp. csrfguard. configurat ion.provid er.factory = org.owa sp.csrfgua rd.config. overlay.Co nfiguratio nAutodetec tProviderF actory | |
| 56 | ||
| 57 | ||
| 58 | # If csrfg uard filte r is enabl ed | |
| 59 | org.owasp. csrfguard. Enabled = true | |
| 60 | ||
| 61 | # If csrf guard filt er should check even if there is no sess ion for th e user | |
| 62 | # Note: th is changed around 20 14/04, the default b ehavior us ed to be t o | |
| 63 | # not chec k if there is no ses sion. If you want t he legacy behavior ( if your ap p | |
| 64 | # is not s usceptible to CSRF i f the user has no se ssion), se t this to false | |
| 65 | org.owasp. csrfguard. ValidateWh enNoSessio nExists = true | |
| 66 | ||
| 67 | # New Toke n Landing Page | |
| 68 | # | |
| 69 | # The new token land ing page p roperty (o rg.owasp.c srfguard.N ewTokenLan dingPage) defines wh ere | |
| 70 | # to send a user if the token is being g enerated f or the fir st time, a nd the use new token landing | |
| 71 | # page boo lean prope rty (org.o wasp.csrfg uard.UseNe wTokenLand ingPage) d etermines if any red irect happ ens. | |
| 72 | # UseNewTo kenLanding Page defau lts to fal se if NewT okenLandin gPage is n ot specifi ed, and to true | |
| 73 | # if it is specified .. If UseN ewTokenLan dingPage i s set true then this request i s generate d | |
| 74 | # using au to-posting forms and will only contain t he CSRF pr evention t oken param eter, if | |
| 75 | # applicab le. All qu ery-string or form p arameters sent with the origin al request will be | |
| 76 | # discarde d. If this property is not def ined, CSRF Guard will instead a uto-post t he user to the | |
| 77 | # original context a nd servlet path. The following configura tion snipp et instruc ts OWASP C SRFGuard t o | |
| 78 | # redirect the user to %servle tContext%/ index.html when the user visit s a protec ted resour ce | |
| 79 | # without having a c orrespondi ng CSRF to ken presen t in the H ttpSession object: | |
| 80 | # | |
| 81 | # org.owas p.csrfguar d.NewToken LandingPag e=%servlet Context%/i ndex.html | |
| 82 | ||
| 83 | ||
| 84 | # Protecte d Methods | |
| 85 | # | |
| 86 | # The prot ected meth ods proper ty (org.ow asp.csrfgu ard.Protec tedMethods ) defines a comma | |
| 87 | # separate d list of HTTP reque st methods that shou ld be prot ected by C SRFGuard. The defaul t | |
| 88 | # list is an empty l ist which will cause all HTTP methods to be protec ted, thus preserving | |
| 89 | # legacy b ehavior. T his settin g allows t he user to inform CS RFGuard th at only re quests of the | |
| 90 | # given ty pes should be consid ered for p rotection. All HTTP methods no t in the l ist will b e | |
| 91 | # consider ed safe (i .e. view o nly / unab le to modi fy data). This shoul d be used only when the | |
| 92 | # user has concrete knowledge that all r equests ma de via met hods not i n the list | |
| 93 | # are safe (i.e. do not apply an action to any dat a) since i t can actu ally intro duce new | |
| 94 | # security vulnerabi lities. Fo r example: the user thinks tha t all acti onable req uests are | |
| 95 | # only ava ilable by POST reque sts when i n fact som e are avai lable via GET reques ts. If the | |
| 96 | # user has excluded GET reques ts from th e list the n they hav e introduc ed a vulne rability. | |
| 97 | # The foll owing conf iguration snippet in structs OW ASP CSRFGu ard to pro tect only the POST, | |
| 98 | # PUT, and DELETE HT TP methods . | |
| 99 | # | |
| 100 | org.owasp .csrfguard .Protected Methods=PO ST,PUT,DEL ETE | |
| 101 | ||
| 102 | # or you c an configu re all to be protect ed, and sp ecify whic h is unpro tected. T his is the preferred approach | |
| 103 | ||
| 104 | org.owasp .csrfguard .Unprotect edMethods= GET | |
| 105 | ||
| 106 | # Unique P er-Page To kens | |
| 107 | # | |
| 108 | # The uniq ue token p er-page pr operty (or g.owasp.cs rfguard.To kenPerPage ) is a boo lean value that | |
| 109 | # determin es if CSRF Guard shou ld make us e of uniqu e per-page (i.e. URI ) preventi on tokens as | |
| 110 | # opposed to unique per-sessio n preventi on tokens. When a us er request s a protec ted resour ce, | |
| 111 | # CSRFGuar d will det ermine if a page spe cific toke n has been previousl y generate d. If a pa ge | |
| 112 | # specific token has not yet b een previo usly gener ated, CSRF Guard will verify th e request was | |
| 113 | # submitte d with the per-sessi on token i ntact. Aft er verifyi ng the pre sence of t he per-ses sion token , | |
| 114 | # CSRFGuar d will cre ate a page specific token that is requir ed for all subsequen t requests to the | |
| 115 | # associat ed resourc e. The per -session C SRF token can only b e used whe n requesti ng a resou rce for | |
| 116 | # the firs t time. Al l subseque nt request s must hav e the per- page token intact or the reque st will | |
| 117 | # be treat ed as a CS RF attack. This beha vior can b e changed with the o rg.owasp.c srfguard.T okenPerPag ePrecreate | |
| 118 | # property . Enabling this prop erty will make CSRFG uard calcu late the p er page to ken prior to a first | |
| 119 | # visit. T his option only work s with JST L token in jection an d is usefu l for pres erving the validity of | |
| 120 | # links if the user pushes the back butt on. There may be a p erformance impact wh en enablin g this opt ion | |
| 121 | # if the . jsp has a large numb er of proc tected lin ks that ne ed tokens to be calc ulated. | |
| 122 | # Use of t he unique token per page prope rty is cur rently exp erimental | |
| 123 | # but prov ides a sig nificant a mount of i mproved se curity. Co nsider the exposure of a CSRF token usin g | |
| 124 | # the lega cy unique per-sessio n model. E xposure of this toke n facilita tes the at tacker's a bility to | |
| 125 | # carry ou t a CSRF a ttack agai nst the vi ctim's act ive sessio n for any resource e xposed by the web | |
| 126 | # applicat ion. Now c onsider th e exposure of a CSRF token usi ng the exp erimental unique tok en per-pag e | |
| 127 | # model. E xposure of this toke n would on ly allow t he attacke r to carry out a CSR F attack a gainst the | |
| 128 | # victim's active se ssion for a small su bset of re sources ex posed by t he web app lication. Use of the | |
| 129 | # unique t oken per-p age proper ty is a st rong defen se in dept h strategy significa ntly reduc ing the | |
| 130 | # impact o f exposed CSRF preve ntion toke ns. The fo llowing co nfiguratio n snippet instructs OWASP | |
| 131 | # CSRFGuar d to utili ze the uni que token per-page m odel: | |
| 132 | # | |
| 133 | # org.owas p.csrfguar d.TokenPer Page=true | |
| 134 | # org.owas p.csrfguar d.TokenPer PagePrecre ate=false | |
| 135 | org.owasp. csrfguard. TokenPerPa ge=false | |
| 136 | org.owasp. csrfguard. TokenPerPa gePrecreat e=false | |
| 137 | ||
| 138 | # Token Ro tation | |
| 139 | # | |
| 140 | # The rota te token p roperty (o rg.owasp.c srfguard.R otate) is a boolean value that determine s if | |
| 141 | # CSRFGuar d should g enerate an d utilize a new toke n after ve rifying th e previous token. Ro tation | |
| 142 | # helps mi nimize the window of opportuni ty an atta cker has t o leverage the victi m's stolen token | |
| 143 | # in a tar geted CSRF attack. H owever, th is functio nality gen erally cau ses naviga tion probl ems in | |
| 144 | # most app lications. Specifica lly, the ' Back' butt on in the browser wi ll often c ease to fu nction | |
| 145 | # properly . When a u ser hits t he 'Back' button and interacts with the HTML, the browser ma y submit | |
| 146 | # an old t oken causi ng CSRFGua rd to inco rrectly be lieve this request i s a CSRF a ttack in p rogress | |
| 147 | # (i.e. a 'false pos itive'). U sers can p revent thi s scenario by preven ting the c aching of HTML pages | |
| 148 | # containi ng FORM su bmissions using the cache-cont rol header . However, this may also intro duce | |
| 149 | # performa nce proble ms as the browser wi ll have to request H TML on a m ore freque nt basis. The follow ing | |
| 150 | # configur ation snip pet enable s token ro tation: | |
| 151 | # | |
| 152 | # org.owas p.csrfguar d.Rotate=t rue | |
| 153 | ||
| 154 | # Ajax and XMLHttpRe quest Supp ort | |
| 155 | # | |
| 156 | # The Ajax property (org.owasp .csrfguard .Ajax) is a boolean value that indicates whether o r not OWAS P | |
| 157 | # CSRFGuar d should s upport the injection and verif ication of unique pe r-session prevention tokens fo r | |
| 158 | # XMLHttpR equests. T o leverage Ajax supp ort, the u ser must n ot only se t this pro perty to t rue but mu st | |
| 159 | # also ref erence the JavaScrip t DOM Mani pulation c ode using a script e lement. Th is dynamic script wi ll | |
| 160 | # override the send method of the XMLHtt pRequest o bject to e nsure the submission of an X-R equested-W ith | |
| 161 | # header n ame value pair coupl ed with th e submissi on of a cu stom heade r name val ue pair fo r each req uest. | |
| 162 | # The name of the cu stom heade r is the v alue of th e token na me propert y and the value of t he header is | |
| 163 | # always t he unique per-sessio n token va lue. This custom hea der is ana logous to the HTTP p arameter n ame | |
| 164 | # value pa irs submit ted via tr aditional GET and PO ST request s. If the X-Requeste d-With hea der was se nt | |
| 165 | # in the H TTP reques t, then CS RFGuard wi ll look fo r the pres ence and e nsure the validity o f the uniq ue | |
| 166 | # per-sess ion token in the cus tom header name valu e pair. No te that ve rification of these headers ta kes | |
| 167 | # preceden ce over ve rification of the CS RF token s upplied as an HTTP p arameter. More speci fically, | |
| 168 | # CSRFGuar d does not verify th e presence of the CS RF token i f the Ajax support p roperty is enabled a nd | |
| 169 | # the corr esponding X-Requeste d-With and custom he aders are embedded w ithin the request. T he followi ng | |
| 170 | # configur ation snip pet instru cts OWASP CSRFGuard to support Ajax requ ests by ve rifying th e presence and | |
| 171 | # correctn ess of the X-Request ed-With an d custom h eaders: | |
| 172 | # | |
| 173 | # org.owas p.csrfguar d.Ajax=tru e | |
| 174 | org.owasp. csrfguard. Ajax=false | |
| 175 | ||
| 176 | # The defa ult behavi or of CSRF Guard is t o protect all pages. Pages mar ked as unp rotected w ill not be protected . | |
| 177 | # If the P rotect pro perty is e nabled, th is behavio r is rever sed. Pages must be m arked as p rotected t o be prote cted. | |
| 178 | # All othe r pages wi ll not be protected. This is u seful when the CsrfG uardFilter is aggres sively map ped (ex: / *), | |
| 179 | # but you only want to protect a few pag es. | |
| 180 | # | |
| 181 | # org.owas p.csrfguar d.Protect= true | |
| 182 | ||
| 183 | # Unprotec ted Pages: | |
| 184 | # | |
| 185 | # The unpr otected pa ges proper ty (org.ow asp.csrfgu ard.unprot ected.*) d efines a s eries of p ages that | |
| 186 | # should n ot be prot ected by C SRFGuard. Such confi gurations are useful when the CsrfGuardF ilter is | |
| 187 | # aggressi vely mappe d (ex: /*) . The synt ax of the property n ame is org .owasp.csr fguard.unp rotected.[ PageName], | |
| 188 | # where Pa geName is some arbit rary ident ifier that can be us ed to refe rence a re source. Th e syntax o f | |
| 189 | # defining the uri o f unprotec ted pages is the sam e as the s yntax used by the Ja vaEE conta iner for u ri mapping . | |
| 190 | # Specific ally, CSRF Guard will identify the first match (if any) betwe en the req uested uri and an un protected | |
| 191 | # page in order of d eclaration . Match cr iteria is as follows : | |
| 192 | # | |
| 193 | # Case 1: exact matc h between request ur i and unpr otected pa ge | |
| 194 | # Case 2: longest pa th prefix match, beg inning / a nd ending /* | |
| 195 | # Case 3: extension match, beg inning *. | |
| 196 | # Case 4: if the val ue starts with ^ and ends with $, it wil l be evaul ated as a regex. No te that be fore the | |
| 197 | # regex is compile d, any com mon variab les will b e substitu ted (e.g. %servletCo ntext%) | |
| 198 | # Default: requested resource must be va lidated by CSRFGuard | |
| 199 | # | |
| 200 | # The foll owing code snippet i llustrates the four use cases over four examples. The first two exampl es | |
| 201 | # (Tag and JavaScrip tServlet) look for d irect URI matches. T he third e xample (Ht ml) looks for all re sources | |
| 202 | # ending i n a .html extension. The next example (P ublic) loo ks for all resources prefixed with the U RI path /M ySite/Publ ic/*. | |
| 203 | # The last example l ooks for r esources t hat end in Public.do | |
| 204 | # | |
| 205 | # org.owas p.csrfguar d.unprotec ted.Tag=%s ervletCont ext%/tag.j sp | |
| 206 | # org.owas p.csrfguar d.unprotec ted.JavaSc riptServle t=%servlet Context%/J avaScriptS ervlet | |
| 207 | # org.owas p.csrfguar d.unprotec ted.Html=* .html | |
| 208 | # org.owas p.csrfguar d.unprotec ted.Public =%servletC ontext%/Pu blic/* | |
| 209 | # regex ex ample star ts with ^ and ends w ith $, and the %serv letContext % is evalu ated befor e the rege x | |
| 210 | # org.owas p.csrfguar d.unprotec ted.Public Servlet=^% servletCon text%/.*Pu blic\.do$ | |
| 211 | ||
| 212 | #org.owasp .csrfguard .unprotect ed.Default =%servletC ontext%/ | |
| 213 | #org.owasp .csrfguard .unprotect ed.Upload= %servletCo ntext%/upl oad.html | |
| 214 | #org.owasp .csrfguard .unprotect ed.JavaScr iptServlet =%servletC ontext%/Ja vaScriptSe rvlet | |
| 215 | #org.owasp .csrfguard .unprotect ed.Ajax=%s ervletCont ext%/ajax. html | |
| 216 | #org.owasp .csrfguard .unprotect ed.Error=% servletCon text%/erro r.html | |
| 217 | #org.owasp .csrfguard .unprotect ed.Index=% servletCon text%/inde x.html | |
| 218 | #org.owasp .csrfguard .unprotect ed.JavaScr ipt=%servl etContext% /javascrip t.html | |
| 219 | #org.owasp .csrfguard .unprotect ed.Tag=%se rvletConte xt%/tag.js p | |
| 220 | #org.owasp .csrfguard .unprotect ed.Redirec t=%servlet Context%/r edirect.js p | |
| 221 | #org.owasp .csrfguard .unprotect ed.Forward =%servletC ontext%/fo rward.jsp | |
| 222 | #org.owasp .csrfguard .unprotect ed.Session =%servletC ontext%/se ssion.jsp | |
| 223 | #org.owasp .csrfguard .unprotect ed.Session =%servletC ontext%/lo gon.jsp | |
| 224 | #org.owasp .csrfguard .unprotect ed.Search= %servletCo ntext%/adm in/* | |
| 225 | #org.owasp .csrfguard .unprotect ed.Comms=% servletCon text%/comm s/* | |
| 226 | #org.owasp .csrfguard .unprotect ed.Demogra phics=%ser vletContex t%/demogra phic/* | |
| 227 | #org.owasp .csrfguard .unprotect ed.Ee=%ser vletContex t%/ee/* | |
| 228 | #org.owasp .csrfguard .unprotect ed.Facilit y=%servlet Context%/f acility/* | |
| 229 | #org.owasp .csrfguard .unprotect ed.Financi als=%servl etContext% /Financial s/* | |
| 230 | #org.owasp .csrfguard .unprotect ed.Message =%servletC ontext%/me ssage/* | |
| 231 | #org.owasp .csrfguard .unprotect ed.Militar yservice=% servletCon text%/mili taryservic e/* | |
| 232 | #org.owasp .csrfguard .unprotect ed.Person= %servletCo ntext%/per son/* | |
| 233 | #org.owasp .csrfguard .unprotect ed.Report= %servletCo ntext%/rep ort/* | |
| 234 | #org.owasp .csrfguard .unprotect ed.Signatu re=%servle tContext%/ signature/ * | |
| 235 | #org.owasp .csrfguard .unprotect ed.Tiles=% servletCon text%/tile s/* | |
| 236 | #org.owasp .csrfguard .unprotect ed.Voa=%se rvletConte xt%/voa/* | |
| 237 | #org.owasp .csrfguard .unprotect ed.Workflo w=%servlet Context%/w orkflow/* | |
| 238 | org.owasp. csrfguard. unprotecte d.Scripts= %servletCo ntext%/scr ipts/* | |
| 239 | org.owasp. csrfguard. unprotecte d.Images=% servletCon text%/imag es/* | |
| 240 | org.owasp. csrfguard. unprotecte d.Tiles=%s ervletCont ext%/tiles /* | |
| 241 | org.owasp. csrfguard. unprotecte d.PersonMe rgeLayout= %servletCo ntext%/per son/person MergeLayou t.jsp | |
| 242 | ||
| 243 | ||
| 244 | ||
| 245 | # Actions: Respondin g to Attac ks | |
| 246 | # | |
| 247 | # The acti ons direct ive (org.o wasp.csrfg uard.actio n.*) gives the user the abilit y to speci fy one or more | |
| 248 | # actions that shoul d be invok ed when a CSRF attac k is detec ted. Every action mu st impleme nt the | |
| 249 | # org.owas p.csrfguar d.action.I Action int erface eit her direct ly or indi rectly thr ough the | |
| 250 | # org.owas p.csrfguar d.action.A bstractAct ion helper class. Ma ny actions accept pa rameters t hat can be specified | |
| 251 | # along wi th the act ion class declaratio n. These p arameters are consum ed at runt ime and im pact the b ehavior of | |
| 252 | # the asso ciated act ion. | |
| 253 | # | |
| 254 | # The synt ax for def ining and configurin g CSRFGuar d actions is relativ ely straig ht forward . Let us a ssume we w ish | |
| 255 | # to redir ect the us er to a de fault page when a CS RF attack is detecte d. A redir ect action already e xists with in | |
| 256 | # the CSRF Guard bund le and is available via the cl ass name o rg.owasp.c srfguard.a ctions.Red irect. In order to e nable | |
| 257 | # this act ion, we ca pture the following declaratio n in the O wasp.CsrfG uard.prope rties file : | |
| 258 | # | |
| 259 | # syntax: org.owasp. csrfguard. action.[ac tionName]= [className ] | |
| 260 | # example: org.owasp .csrfguard .action.cl ass.Redire ct=org.owa sp.csrfgua rd.actions .Redirect | |
| 261 | # | |
| 262 | # The afor ementioned directive declares an action called "Re direct" (i .e. [actio nName]) re ferencing the Java c lass | |
| 263 | # "org.owa sp.csrfgua rd.actions .Redirect" (i.e. [cl assName]). Anytime a CSRF atta ck is dete cted, the Redirect a ction | |
| 264 | # will be executed. You may be asking yo urself, "b ut how do I specify where the user is re directed?" ; this is where | |
| 265 | # action p arameters come into play. In o rder to sp ecify the redirect l ocation, w e capture the follow ing declar ation | |
| 266 | # in the O wasp.CsrfG uard.prope rties file : | |
| 267 | # | |
| 268 | # syntax: org.owasp. csrfguard. action.[ac tionName]. [parameter Name]=[par ameterValu e] | |
| 269 | #org.owasp .csrfguard .action.Re direct.Err orPage=%se rvletConte xt%/messag e/errorMes sage.jsp | |
| 270 | # | |
| 271 | # The afor ementioned directive declares an action parameter called "Er rorPage" ( i.e. [para meterName] ) with the value | |
| 272 | # of "%ser vletContex t%/error.h tml" (i.e. [paramete rValue]) f or the act ion "Redir ect" (i.e. [actionNa me]). The | |
| 273 | # Redirect action ex pects the "ErrorPage " paramete r to be de fined and will redir ect the us er to this location when | |
| 274 | # an attac k is detec ted. | |
| 275 | # | |
| 276 | #org.owasp .csrfguard .action.Em pty=org.ow asp.csrfgu ard.action .Empty | |
| 277 | org.owasp. csrfguard. action.Log =org.owasp .csrfguard .action.Lo g | |
| 278 | org.owasp. csrfguard. action.Log .Message=p otential c ross-site request fo rgery (CSR F) attack thwarted ( user:%user %, ip:%rem ote_ip%, m ethod:%req uest_metho d%, uri:%r equest_uri %, error:% exception_ message%) | |
| 279 | #org.owasp .csrfguard .action.In validate=o rg.owasp.c srfguard.a ction.Inva lidate | |
| 280 | org.owasp. csrfguard. action.Red irect=org. owasp.csrf guard.acti on.Redirec t | |
| 281 | org.owasp. csrfguard. action.Red irect.Page = https:// DNS .iam. DNS /CentralLo gin/csserr or.aspx | |
| 282 | #org.owasp .csrfguard .action.Re questAttri bute=org.o wasp.csrfg uard.actio n.RequestA ttribute | |
| 283 | #org.owasp .csrfguard .action.Re questAttri bute.Attri buteName=O wasp_CsrfG uard_Excep tion_Key | |
| 284 | org.owasp. csrfguard. action.Rot ate=org.ow asp.csrfgu ard.action .Rotate | |
| 285 | #org.owasp .csrfguard .action.Se ssionAttri bute=org.o wasp.csrfg uard.actio n.SessionA ttribute | |
| 286 | #org.owasp .csrfguard .action.Se ssionAttri bute.Attri buteName=O wasp_CsrfG uard_Excep tion_Key | |
| 287 | #org.owasp .csrfguard .action.Er ror=org.ow asp.csrfgu ard.action .Error | |
| 288 | #org.owasp .csrfguard .action.Er ror.Code=4 03 | |
| 289 | #org.owasp .csrfguard .action.Er ror.Messag e=Security violation . | |
| 290 | ||
| 291 | # Token Na me | |
| 292 | # | |
| 293 | # The toke n name pro perty (org .owasp.csr fguard.Tok enName) de fines the name of th e HTTP par ameter | |
| 294 | # to conta in the val ue of the OWASP CSRF Guard toke n for each request. The follow ing config uration | |
| 295 | # snippet sets the C SRFGuard t oken param eter name to the val ue OWASP_C SRFTOKEN: | |
| 296 | # | |
| 297 | # org.owas p.csrfguar d.TokenNam e=OWASP_CS RFTOKEN | |
| 298 | org.owasp. csrfguard. TokenName= OWASP_CSRF TOKEN | |
| 299 | ||
| 300 | # Session Key | |
| 301 | # | |
| 302 | # The sess ion key pr operty (or g.owasp.cs rfguard.Se ssionKey) defines th e string l iteral use d to save | |
| 303 | # and look up the CSR FGuard tok en from th e session. This valu e is used by the fil ter and th e tag | |
| 304 | # librarie s to retri eve and se t the toke n value in the sessi on. Develo pers can u se this ke y to | |
| 305 | # programm atically l ookup the token with in their o wn code. T he followi ng configu ration sni ppet sets | |
| 306 | # the sess ion key to the value OWASP_CSR FTOKEN: | |
| 307 | # | |
| 308 | # org.owas p.csrfguar d.SessionK ey=OWASP_C SRFTOKEN | |
| 309 | org.owasp. csrfguard. SessionKey =OWASP_CSR FTOKEN | |
| 310 | ||
| 311 | # Token Le ngth | |
| 312 | # | |
| 313 | # The toke n length p roperty (o rg.owasp.c srfguard.T okenLength ) defines the number of charac ters that | |
| 314 | # should b e found wi thin the C SRFGuard t oken. Note that char acters are delimited by dashes (-) in gr oups | |
| 315 | # of four. For cosme tic reason s, users a re encoura ge to ensu re the tok en length is divisib le by four . | |
| 316 | # The foll owing conf iguration snippet se ts the tok en length property t o 32 chara cters: | |
| 317 | # | |
| 318 | # org.owas p.csrfguar d.TokenLen gth=32 | |
| 319 | org.owasp. csrfguard. TokenLengt h=32 | |
| 320 | ||
| 321 | # Pseudo-r andom Numb er Generat or | |
| 322 | # | |
| 323 | # The pseu do-random number gen erator pro perty (org .owasp.csr fguard.PRN G) defines what PRNG should be used | |
| 324 | # to gener ate the OW ASP CSRFGu ard token. Always en sure this value refe rences a c ryptograph ically str ong | |
| 325 | # pseudo-r andom numb er generat or algorit hm. The fo llowing co nfiguratio n snippet sets the p seudo-rand om number | |
| 326 | # generato r to SHA1P RNG: | |
| 327 | # | |
| 328 | # org.owas p.csrfguar d.PRNG=SHA 1PRNG | |
| 329 | org.owasp. csrfguard. PRNG=SHA1P RNG | |
| 330 | ||
| 331 | # Pseudo-r andom Numb er Generat or Provide r | |
| 332 | ||
| 333 | # The pseu do-random number gen erator pro vider prop erty (org. owasp.csrf guard.PRNG .Provider) defines w hich | |
| 334 | # provider 's impleme ntation of org.owasp .csrfguard .PRNG we s hould util ize. The f ollowing c onfigurati on | |
| 335 | # snippet instructs the JVM to leverage SUN's impl ementation of the al gorithm de noted by t he | |
| 336 | # org.owas p.csrfguar d.PRNG pro perty: | |
| 337 | ||
| 338 | # org.owas p.csrfguar d.PRNG.Pro vider=SUN | |
| 339 | org.owasp. csrfguard. PRNG.Provi der=SUN | |
| 340 | ||
| 341 | # If not s pecifying the print config opt ion in the web.xml, you can sp ecify it h ere, to pr int the co nfig | |
| 342 | # on start up | |
| 343 | org.owasp. csrfguard. Config.Pri nt = true | |
| 344 | ||
| 345 | ########## ########## ####### | |
| 346 | ## Javascr ipt servle t settings if not se t in web.x ml | |
| 347 | ## https:/ /www.owasp .org/index .php/CSRFG uard_3_Tok en_Injecti on | |
| 348 | ########## ########## ####### | |
| 349 | ||
| 350 | # leave th is blank a nd blank i n web.xml and it wil l read fro m META-INF /csrfguard .js from t he jarfile | |
| 351 | # Denotes the locati on of the JavaScript template file that should be consumed a nd dynamic ally | |
| 352 | # augmente d by the J avaScriptS ervlet cla ss. The de fault valu e is WEB-I NF/Owasp.C srfGuard.j s. | |
| 353 | # Use of t his proper ty and the existence of the sp ecified te mplate fil e is requi red. | |
| 354 | org.owasp. csrfguard. Javascript Servlet.so urceFile = | |
| 355 | ||
| 356 | # Boolean value that determine s whether or not the dynamic J avaScript code shoul d be stric t | |
| 357 | # with reg ards to wh at links i t should i nject the CSRF preve ntion toke n. With a value of t rue, | |
| 358 | # the Java Script cod e will onl y place th e token in links tha t point to the same exact doma in | |
| 359 | # from whi ch the HTM L originat ed. With a value of false, the JavaScrip t code wil l place th e | |
| 360 | # token in links tha t not only point to the same e xact domai n from whi ch the HTM L originat ed, | |
| 361 | # but sub- domains as well. | |
| 362 | org.owasp. csrfguard. Javascript Servlet.do mainStrict = true | |
| 363 | ||
| 364 | # Allows t he develop er to spec ify the va lue of the Cache-Con trol heade r in the H TTP respon se | |
| 365 | # when ser ving the d ynamic Jav aScript fi le. The de fault valu e is priva te, maxage =28800. | |
| 366 | # Caching of the dyn amic JavaS cript file is intend ed to mini mize traff ic and imp rove perfo rmance. | |
| 367 | # Note tha t the Cach e-Control header is always set to "no-st ore" when either the "Rotate" | |
| 368 | # "TokenPe rPage" opt ions is se t to true in Owasp.C srfGuard.p roperties. | |
| 369 | org.owasp. csrfguard. Javascript Servlet.ca cheControl = private , maxage=2 8800 | |
| 370 | ||
| 371 | # Allows t he develop er to spec ify a regu lar expres sion descr ibing the required v alue of th e | |
| 372 | # Referer header. An y attempts to access the servl et with a Referer he ader that does not | |
| 373 | # match th e captured expressio n is disca rded. Incl usion of r eferer hea der checki ng is to | |
| 374 | # help min imize the risk of Ja vaScript H ijacking a ttacks tha t attempt to steal t okens from | |
| 375 | # the dyna mically ge nerated Ja vaScript. While the primary de fenses aga inst JavaS cript | |
| 376 | # Hijackin g attacks are implem ented with in the dyn amic JavaS cript itse lf, refere r header | |
| 377 | # checking is implem ented to a chieve def ense in de pth. | |
| 378 | org.owasp. csrfguard. Javascript Servlet.re fererPatte rn = .* | |
| 379 | ||
| 380 | # Similar to javascr ipt servle t referer pattern, b ut this wi ll make su re the ref erer of th e | |
| 381 | # javascri pt servlet matches t he domain of the req uest. If there is n o referer (proxy str ips it?) | |
| 382 | # then it will not f ail. Gene rally this is a good idea to b e true. | |
| 383 | org.owasp. csrfguard. Javascript Servlet.re fererMatch Domain = t rue | |
| 384 | ||
| 385 | # Boolean value that determine s whether or not the dynamic J avaScript code shoul d | |
| 386 | # inject t he CSRF pr evention t oken as a hidden fie ld into HT ML forms. The defaul t | |
| 387 | # value is true. Dev elopers ar e strongly discourag ed from di sabling th is propert y | |
| 388 | # as most server-sid e state ch anging act ions are t riggered v ia a POST request. | |
| 389 | org.owasp. csrfguard. Javascript Servlet.in jectIntoFo rms = true | |
| 390 | ||
| 391 | # if the t oken shoul d be injec ted in GET forms (wh ich will b e on the U RL) | |
| 392 | # if the H TTP method GET is un protected, then this should li kely be fa lse | |
| 393 | org.owasp. csrfguard. Javascript Servlet.in jectGetFor ms = true | |
| 394 | ||
| 395 | # if the t oken shoul d be injec ted in the action in forms | |
| 396 | # note, if injectInt oForms is true, then this migh t not need to be tru e | |
| 397 | org.owasp. csrfguard. Javascript Servlet.in jectFormAt tributes = true | |
| 398 | ||
| 399 | ||
| 400 | # Boolean value that determine s whether or not the dynamic J avaScript code shoul d | |
| 401 | # inject t he CSRF pr evention t oken in th e query st ring of sr c and href attribute s. | |
| 402 | # Injectin g the CSRF preventio n token in a URL res ource incr eases its general ri sk | |
| 403 | # of expos ure to una uthorized parties. H owever, mo st JavaEE web applic ations res pond | |
| 404 | # in the e xact same manner to HTTP reque sts and th eir associ ated param eters rega rdless | |
| 405 | # of the H TTP method . The risk associate d with not protectin g GET requ ests in th is | |
| 406 | # situatio n is perce ived great er than th e risk of exposing t he token i n protecte d GET | |
| 407 | # requests . As a res ult, the d efault val ue of this attribute is set to true. Dev elopers | |
| 408 | # that are confident their ser ver-side s tate chang ing contro llers will only resp ond to | |
| 409 | # POST req uests (i.e . discardi ng GET req uests) are strongly encouraged to disabl e this pro perty. | |
| 410 | org.owasp. csrfguard. Javascript Servlet.in jectIntoAt tributes = true | |
| 411 | ||
| 412 | ||
| 413 | org.owasp. csrfguard. Javascript Servlet.xR equestedWi th = OWASP CSRFGuard Project | |
| 414 | ||
| 415 | ########## ########## ####### | |
| 416 | ## Config overlay se ttings if you have t he provide r above se t to Confi gurationOv erlayProvi der | |
| 417 | ## This CS RF config provider u ses Intern et2 Config uration Ov erlays (do cumented o n Internet 2 wiki) | |
| 418 | ## By defa ult the co nfiguratio n is read from the O wasp.CsrfG uard.prope rties | |
| 419 | ## (which should not be edited ), and the Owasp.Csr fGuard.ove rlay.prope rties over lays | |
| 420 | ## the bas e settings . See the Owasp.Csr fGuard.pro perties fo r the poss ible | |
| 421 | ## setting s that can be applie d to the O wasp.CsrfG uard.overl ay.propert ies | |
| 422 | ########## ########## ####### | |
| 423 | ||
| 424 | # comma se parated co nfig files that over ride each other (fil es on the right over ride the l eft) | |
| 425 | # each sho uld start with file: or classp ath: | |
| 426 | # e.g. cla sspath:Owa sp.CsrfGua rd.propert ies, file: c:/temp/my File.prope rties | |
| 427 | org.owasp. csrfguard. configOver lay.hierar chy = clas spath:Owas p.CsrfGuar d.properti es, classp ath:Owasp. CsrfGuard. overlay.pr operties | |
| 428 | ||
| 429 | # seconds between ch ecking to see if the config fi les are up dated | |
| 430 | org.owasp. csrfguard. configOver lay.second sBetweenUp dateChecks = 60 | |
| 431 | ||
| 432 | ||
| 433 | ########## ########## ####### | |
| 434 |
Araxis Merge (but not the data content of this report) is Copyright © 1993-2016 Araxis Ltd (www.araxis.com). All rights reserved.