abimael93 / owasp-esapi-java

Automatically exported from code.google.com/p/owasp-esapi-java
Other
3 stars 2 forks source link

AntiCSRF Tokens - JSP Tags #162

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
This is a set of Java files and a TLD for generating secure random numbers for 
Anti-CSRF JSP Tags.

<csrftoken>  adds a hidden input into a form field, generating a new Anti-CSRF 
token for the session if it exists or else creating a new one

<csrfcheck> checks to see if the Anti-CSRF token submitted matches the one in 
the session. A mismatch causes a new CSRFTokenException to be thrown.

Original issue reported on code.google.com by rkli...@gmail.com on 31 Oct 2010 at 2:03

Attachments:

GoogleCodeExporter commented 9 years ago

Original comment by manico.james@gmail.com on 1 Nov 2010 at 4:27

GoogleCodeExporter commented 9 years ago

Original comment by manico.james@gmail.com on 1 Nov 2010 at 12:52

GoogleCodeExporter commented 9 years ago
how will the jsp calling the above tools be like.
I am a little confused with when should i set the csrf token in the request 
paremeter. Should that be onsubmit?

Original comment by brijesh....@gmail.com on 6 Jul 2011 at 8:10

GoogleCodeExporter commented 9 years ago
Hi,

As per the above mentioned mechanism, we are adding a secret token as a hidden 
field in JSP and hence it's passed in the request. 

As we are passing is it in a jsp as a hidden field the attacker would be able 
to find the value of the secret token and could add the same in his malicious 
request also. On such a scenario, we would not be able to differentiate the 
malicious and intended request rite?

Apologies if my understanding is wrong! and requesting you to explain briefly 
in i have understood wrongly.

Thanks!

Original comment by robinspe...@gmail.com on 7 Jun 2013 at 6:10