[Logo] JForum - Powering Communities
  [Search] 搜尋   [Recent Topics] 最新主題   [Hottest Topics] 熱門主題   [Top Downloads] 熱門下載   [Members] 會員列表   [Groups] 回首頁 
[Moderation Log] 管理日誌   [Register] 會員註冊 /  [Login] 登入 


JForum 2.5.0 released, download it from here.
jforum 2.4.0 and Csrf Guard  RSS feed
討論區首頁 » User Forum
發表人 內容
Spencer


註冊時間: 2013/9/12
文章: 18
離線
I am trying to upgrade to 2.4.0.

It interferes with my application. I tried changing various settings in csrfguard.properties but they did not seem to have any effect.

Everything seems to work if I disable the CSRFGuard filter mapping in web.xml. But even if I only have it filter map the forum pages it has problems that report "HTTP Status 500 - Internal Server Error" with the following on the server:

Info:   [Tue Apr 14 00:34:57 EDT 2015] [Info] CsrfGuard analyzing request /MapBake/forums/list.page
Warning:   StandardWrapperValve[jforum]: Servlet.service() for servlet jforum threw exception
java.lang.IllegalStateException: CsrfGuard expects the token to exist in session at this point
	at org.owasp.csrfguard.CsrfGuard.isValidRequest(CsrfGuard.java:386)
	at net.jforum.csrf.CsrfFilter.doFilter(CsrfFilter.java:95)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:256)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:316)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:160)
	at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:734)
	at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:673)
	at com.sun.enterprise.web.WebPipeline.invoke(WebPipeline.java:99)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:174)
	at org.apache.catalina.connector.CoyoteAdapter.doService(CoyoteAdapter.java:357)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:260)
	at com.sun.enterprise.v3.services.impl.ContainerMapper.service(ContainerMapper.java:188)
	at org.glassfish.grizzly.http.server.HttpHandler.runService(HttpHandler.java:191)
	at org.glassfish.grizzly.http.server.HttpHandler.doHandle(HttpHandler.java:168)
	at org.glassfish.grizzly.http.server.HttpServerFilter.handleRead(HttpServerFilter.java:189)
	at org.glassfish.grizzly.filterchain.ExecutorResolver$9.execute(ExecutorResolver.java:119)
	at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeFilter(DefaultFilterChain.java:288)
	at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeChainPart(DefaultFilterChain.java:206)
	at org.glassfish.grizzly.filterchain.DefaultFilterChain.execute(DefaultFilterChain.java:136)
	at org.glassfish.grizzly.filterchain.DefaultFilterChain.process(DefaultFilterChain.java:114)
	at org.glassfish.grizzly.ProcessorExecutor.execute(ProcessorExecutor.java:77)
	at org.glassfish.grizzly.nio.transport.TCPNIOTransport.fireIOEvent(TCPNIOTransport.java:838)
	at org.glassfish.grizzly.strategies.AbstractIOStrategy.fireIOEvent(AbstractIOStrategy.java:113)
	at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.run0(WorkerThreadIOStrategy.java:115)
	at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.access$100(WorkerThreadIOStrategy.java:55)
	at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy$WorkerThreadRunnable.run(WorkerThreadIOStrategy.java:135)
	at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:564)
	at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.run(AbstractThreadPool.java:544)
	at java.lang.Thread.run(Thread.java:745)


Is there something that needs to be done to have the token created?

Thanks,
Spencer
andowson


註冊時間: 2011/6/30
文章: 193
離線
You can check the csrf related config files:
smilieWEB-INF/config/csrf.properties
Change
list=NoCsrfWorriesHere
to
list=AddToken

smilieWEB-INF/config/csrfguard.properties
Maybe you need to change the org.owasp.csrfguard.NewTokenLandingPage parameter

I don't know if it works, you can try it and report the result.
Spencer


註冊時間: 2013/9/12
文章: 18
離線
In cfrs.properties I set list=AddToken

Since I changed the index.jsp that came with jforum to forum.jsp in cfrsguard.properties I set org.owasp.csrfguard.NewTokenLandingPage=%servletContext%/forum.jsp

I did get further. I was able to go through the forums but when I try to open a post it thinks it is a cross-site request forgery and directs the browser to %servletContext%/error.html?OWASP_CSRFTOKEN=PBDD-410O-6Z38-IB97-MU6N-HCIG-IUT6-R8D2

On the server it has:

Info:   [Wed Apr 15 19:15:59 EDT 2015] [Info] CsrfGuard analyzing request /MapBake/forums/show/1.page
Info:   [Wed Apr 15 19:16:04 EDT 2015] [Info] CsrfGuard analyzing request /MapBake/posts/list/16.page
Severe:   [Wed Apr 15 19:16:04 EDT 2015] [Error] potential cross-site request forgery (CSRF) attack thwarted (user:<anonymous>, ip:0:0:0:0:0:0:0:1, method:%request_method%, uri:list, error:required token is missing from the request)
Severe:   An exception or error occurred in the container during the request processing
java.lang.IllegalStateException: isHexDigit
	at org.glassfish.grizzly.http.util.URLDecoder.decode(URLDecoder.java:243)
	at org.glassfish.grizzly.http.util.URLDecoder.decodeAscii(URLDecoder.java:159)
	at org.glassfish.grizzly.http.util.URLDecoder.decode(URLDecoder.java:71)
	at org.glassfish.grizzly.http.util.HttpRequestURIDecoder.decode(HttpRequestURIDecoder.java:160)
	at org.glassfish.grizzly.http.util.RequestURIRef.getDecodedRequestURIBC(RequestURIRef.java:133)
	at org.glassfish.grizzly.http.util.RequestURIRef.getDecodedRequestURIBC(RequestURIRef.java:114)
	at org.apache.catalina.connector.CoyoteAdapter.postParseRequest(CoyoteAdapter.java:435)
	at org.apache.catalina.connector.CoyoteAdapter.doService(CoyoteAdapter.java:297)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:260)
	at com.sun.enterprise.v3.services.impl.ContainerMapper.service(ContainerMapper.java:188)
	at org.glassfish.grizzly.http.server.HttpHandler.runService(HttpHandler.java:191)
	at org.glassfish.grizzly.http.server.HttpHandler.doHandle(HttpHandler.java:168)
	at org.glassfish.grizzly.http.server.HttpServerFilter.handleRead(HttpServerFilter.java:189)
	at org.glassfish.grizzly.filterchain.ExecutorResolver$9.execute(ExecutorResolver.java:119)
	at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeFilter(DefaultFilterChain.java:288)
	at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeChainPart(DefaultFilterChain.java:206)
	at org.glassfish.grizzly.filterchain.DefaultFilterChain.execute(DefaultFilterChain.java:136)
	at org.glassfish.grizzly.filterchain.DefaultFilterChain.process(DefaultFilterChain.java:114)
	at org.glassfish.grizzly.ProcessorExecutor.execute(ProcessorExecutor.java:77)
	at org.glassfish.grizzly.nio.transport.TCPNIOTransport.fireIOEvent(TCPNIOTransport.java:838)
	at org.glassfish.grizzly.strategies.AbstractIOStrategy.fireIOEvent(AbstractIOStrategy.java:113)
	at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.run0(WorkerThreadIOStrategy.java:115)
	at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.access$100(WorkerThreadIOStrategy.java:55)
	at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy$WorkerThreadRunnable.run(WorkerThreadIOStrategy.java:135)
	at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:564)
	at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.run(AbstractThreadPool.java:544)
	at java.lang.Thread.run(Thread.java:745)

andowson


註冊時間: 2011/6/30
文章: 193
離線
I think there is no need to modify csrf.properties, change it back to
list=NoCsrfWorriesHere
and try again
Spencer


註冊時間: 2013/9/12
文章: 18
離線
It seems to be working. Is there a way to simulate a Cross Site Request Forgery for testing? When it was incorrectly identifying a csrf it seemed to redirect to a non-existent page.

Also, I set the web.xml to map the filtering of csrfguard to *.page. Are there any others that should also be checked?
Spencer


註冊時間: 2013/9/12
文章: 18
離線
I finally enabled csrf a couple days ago on my live site and from the logs I see it analyzing requests.

Then today I got an error and had this in the log:

[Sun May 10 01:28:10 UTC 2015] [Info] CsrfGuard analyzing request /forums/list.page
May 10, 2015 1:28:10 AM org.apache.catalina.core.StandardWrapperValve invoke
SEVERE: Servlet.service() for servlet [jforum] in context with path [] threw exception
java.lang.IllegalStateException: CsrfGuard expects the token to exist in session at this point
	at org.owasp.csrfguard.CsrfGuard.isValidRequest(CsrfGuard.java:386)
	at net.jforum.csrf.CsrfFilter.doFilter(CsrfFilter.java:95)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:504)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
	at org.apache.catalina.valves.RemoteIpValve.invoke(RemoteIpValve.java:683)
	at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:421)
	at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1074)
	at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611)
	at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:314)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
	at java.lang.Thread.run(Thread.java:745)


andowson


註冊時間: 2011/6/30
文章: 193
離線
Hi Spencer,
Last time you said you set the web.xml to map the filtering of csrfguard to *.page.
Maybe you need to change back to /* .
Spencer


註冊時間: 2013/9/12
文章: 18
離線
Yes, I did limit it to *.page

When I did not do this the token interfered with the functionality of the site.

I will see if I can isolate the csrf so it does not interfere.

It would be good to have a test scenario for when csrf does prevent access to ensure that has proper behavior (and maybe an email notification of any problems).
Spencer


註冊時間: 2013/9/12
文章: 18
離線
When I enable csrf, in addition to breaking my site, on the server I get many of the following errors:

Warning:   StandardWrapperValve[default]: Servlet.service() for servlet default threw exception
java.lang.IllegalStateException: Cannot create a session after the response has been committed
	at org.apache.catalina.connector.Request.doGetSession(Request.java:3251)
	at org.apache.catalina.connector.Request.getSession(Request.java:2884)
	at org.apache.catalina.connector.RequestFacade.getSession(RequestFacade.java:908)
	at net.jforum.csrf.CsrfFilter.doFilter(CsrfFilter.java:72)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:256)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:316)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:160)
	at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:734)
	at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:673)
	at com.sun.enterprise.web.WebPipeline.invoke(WebPipeline.java:99)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:174)
	at org.apache.catalina.connector.CoyoteAdapter.doService(CoyoteAdapter.java:357)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:260)
	at com.sun.enterprise.v3.services.impl.ContainerMapper.service(ContainerMapper.java:188)
	at org.glassfish.grizzly.http.server.HttpHandler.runService(HttpHandler.java:191)
	at org.glassfish.grizzly.http.server.HttpHandler.doHandle(HttpHandler.java:168)
	at org.glassfish.grizzly.http.server.HttpServerFilter.handleRead(HttpServerFilter.java:189)
	at org.glassfish.grizzly.filterchain.ExecutorResolver$9.execute(ExecutorResolver.java:119)
	at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeFilter(DefaultFilterChain.java:288)
	at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeChainPart(DefaultFilterChain.java:206)
	at org.glassfish.grizzly.filterchain.DefaultFilterChain.execute(DefaultFilterChain.java:136)
	at org.glassfish.grizzly.filterchain.DefaultFilterChain.process(DefaultFilterChain.java:114)
	at org.glassfish.grizzly.ProcessorExecutor.execute(ProcessorExecutor.java:77)
	at org.glassfish.grizzly.nio.transport.TCPNIOTransport.fireIOEvent(TCPNIOTransport.java:838)
	at org.glassfish.grizzly.strategies.AbstractIOStrategy.fireIOEvent(AbstractIOStrategy.java:113)
	at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.run0(WorkerThreadIOStrategy.java:115)
	at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.access$100(WorkerThreadIOStrategy.java:55)
	at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy$WorkerThreadRunnable.run(WorkerThreadIOStrategy.java:135)
	at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:564)
	at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.run(AbstractThreadPool.java:544)
	at java.lang.Thread.run(Thread.java:745)


Then if I try to reload the page it intercepts the ajax calls (even if I turn off ajax and unprotect them in the csrfguard.properties) and I get:

Info:   [Mon May 11 13:32:06 EDT 2015] [Info] CsrfGuard analyzing request /MapBake/MB1
Severe:   [Mon May 11 13:32:06 EDT 2015] [Error] potential cross-site request forgery (CSRF) attack thwarted (user:<anonymous>, ip:0:0:0:0:0:0:0:1, method:%request_method%, uri:unknown module for /MapBake/MB1, error:required token is missing from the request)
Severe:   An exception or error occurred in the container during the request processing
java.lang.IllegalStateException: isHexDigit
	at org.glassfish.grizzly.http.util.URLDecoder.decode(URLDecoder.java:243)
	at org.glassfish.grizzly.http.util.URLDecoder.decodeAscii(URLDecoder.java:159)
	at org.glassfish.grizzly.http.util.URLDecoder.decode(URLDecoder.java:71)
	at org.glassfish.grizzly.http.util.HttpRequestURIDecoder.decode(HttpRequestURIDecoder.java:160)
	at org.glassfish.grizzly.http.util.RequestURIRef.getDecodedRequestURIBC(RequestURIRef.java:133)
	at org.glassfish.grizzly.http.util.RequestURIRef.getDecodedRequestURIBC(RequestURIRef.java:114)
	at org.apache.catalina.connector.CoyoteAdapter.postParseRequest(CoyoteAdapter.java:435)
	at org.apache.catalina.connector.CoyoteAdapter.doService(CoyoteAdapter.java:297)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:260)
	at com.sun.enterprise.v3.services.impl.ContainerMapper.service(ContainerMapper.java:188)
	at org.glassfish.grizzly.http.server.HttpHandler.runService(HttpHandler.java:191)
	at org.glassfish.grizzly.http.server.HttpHandler.doHandle(HttpHandler.java:168)
	at org.glassfish.grizzly.http.server.HttpServerFilter.handleRead(HttpServerFilter.java:189)
	at org.glassfish.grizzly.filterchain.ExecutorResolver$9.execute(ExecutorResolver.java:119)
	at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeFilter(DefaultFilterChain.java:288)
	at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeChainPart(DefaultFilterChain.java:206)
	at org.glassfish.grizzly.filterchain.DefaultFilterChain.execute(DefaultFilterChain.java:136)
	at org.glassfish.grizzly.filterchain.DefaultFilterChain.process(DefaultFilterChain.java:114)
	at org.glassfish.grizzly.ProcessorExecutor.execute(ProcessorExecutor.java:77)
	at org.glassfish.grizzly.nio.transport.TCPNIOTransport.fireIOEvent(TCPNIOTransport.java:838)
	at org.glassfish.grizzly.strategies.AbstractIOStrategy.fireIOEvent(AbstractIOStrategy.java:113)
	at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.run0(WorkerThreadIOStrategy.java:115)
	at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.access$100(WorkerThreadIOStrategy.java:55)
	at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy$WorkerThreadRunnable.run(WorkerThreadIOStrategy.java:135)
	at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:564)
	at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.run(AbstractThreadPool.java:544)
	at java.lang.Thread.run(Thread.java:745)
andowson


註冊時間: 2011/6/30
文章: 193
離線
For the java.lang.IllegalStateException: Cannot create a session after the response has been committed issue,
Try to change the order of filters in web.xml as follows (Make CSRFGuard filter the latest filter):
  <!-- Clickstream -->
  <filter>
    <filter-name>clickstream-jforum</filter-name>
    <filter-class>net.jforum.util.legacy.clickstream.ClickstreamFilter</filter-class>
  </filter>

  <!-- CSRF Protection -->
  <filter>
    <filter-name>CSRFGuard</filter-name>
    <filter-class>net.jforum.csrf.CsrfFilter</filter-class>
  </filter>

  <filter-mapping>
    <filter-name>clickstream-jforum</filter-name>
    <url-pattern>*.page</url-pattern>
  </filter-mapping>

  <filter-mapping>
    <filter-name>CSRFGuard</filter-name>
    <url-pattern>/*</url-pattern>
  </filter-mapping>


And for the unknown module for /MapBake/MB1 issue,
Try to add them as unprotected page, like this:
org.owasp.csrfguard.unprotected.MB1=/MapBake/MB1
Spencer


註冊時間: 2013/9/12
文章: 18
離線
The changes had no effect. The same problems occur.

My unprotected settings (which seem to have no effect) are:

org.owasp.csrfguard.unprotected.Default=%servletContext%/
org.owasp.csrfguard.unprotected.Local=%servletContext%/MapBake
org.owasp.csrfguard.unprotected.Ajax=%servletContext%/MB1*
org.owasp.csrfguard.unprotected.Ajax2=/MB1*
org.owasp.csrfguard.unprotected.AjaxLocal=%servletContext%/MapBake/MB1*
org.owasp.csrfguard.unprotected.AjaxLocal2=/MapBake/MB1*
org.owasp.csrfguard.unprotected.MB1=MB1*
org.owasp.csrfguard.unprotected.allMB1=*MB1
org.owasp.csrfguard.unprotected.Jsp=*.jsp
org.owasp.csrfguard.unprotected.Jpeg=*.jpg
org.owasp.csrfguard.unprotected.Gif=*.gif
org.owasp.csrfguard.unprotected.Png=*.png
org.owasp.csrfguard.unprotected.Css=*.css
org.owasp.csrfguard.unprotected.Flash=*.swf
org.owasp.csrfguard.unprotected.JavaScript=*.js

The /MapBake is only on my local testing server and will not be needed/used on the live server.
jondaqs


註冊時間: 2016/4/7
文章: 1
離線
On the web-xml file, I changed the "Owasp.CsrfGuard.Config.Print" property to false.
Under csfrGuard config property file I replaced the "%servletcontext%" string with empty string.

perhaps this will help someone searching for this in future
Spencer


註冊時間: 2013/9/12
文章: 18
離線
In csrfguard.properties I changed:

org.owasp.csrfguard.Config.Print = false

And re enabled the CSRFGuard filter-mapping in web.xml. I did still need to limit it to *.page to prevent interference with my application.

Initial tests seem OK.
 
討論區首頁 » User Forum
前往:   
行動版
Powered by JForum 2.5.0 © 2018 JForum Team • Maintained by Andowson Chang and Ulf Dittmer