CSRFGuard : required token is missing from the request
Please try leaving the NewTokenLandingPage property empty.
Modify/Comment
org.owasp.csrfguard.NewTokenLandingPage=%servletContext%/Login.do
to
org.owasp.csrfguard.NewTokenLandingPage=
I would also suggest to take it step by step. Do not enable page tokens and token rotations in the first go. Rotations and page tokens can introduce many issues. First get it to work with a session token and then progressively enable features.
Sri
In short, presence in multiple forums, and a veteran software engineer for over a decade and a half, and hold a masters in Computer Science Engineering :-)
Updated on June 04, 2022Comments
-
Sri almost 2 years
I have set up a simple project, based on struts. Trying to implement CSRFGuard into it.
Here is the csrfguard.properties files:
org.owasp.csrfguard.Logger=org.owasp.csrfguard.log.JavaLogger org.owasp.csrfguard.configuration.provider.factory = org.owasp.csrfguard.config.overlay.ConfigurationAutodetectProviderFactory org.owasp.csrfguard.Enabled = true org.owasp.csrfguard.ValidateWhenNoSessionExists = false org.owasp.csrfguard.NewTokenLandingPage=%servletContext%/Login.do org.owasp.csrfguard.TokenPerPage=true org.owasp.csrfguard.TokenPerPagePrecreate=false org.owasp.csrfguard.Rotate=true org.owasp.csrfguard.Ajax=true org.owasp.csrfguard.unprotected.Default=%servletContext%/ org.owasp.csrfguard.unprotected.JavaScriptServlet=%servletContext%/JavaScriptServlet org.owasp.csrfguard.unprotected.Error=%servletContext%/error_page.jsp org.owasp.csrfguard.unprotected.Index=%servletContext%/index.jsp org.owasp.csrfguard.unprotected.Scripts=%servletContext%/scripts/* org.owasp.csrfguard.unprotected.Styles=%servletContext%/styles/* org.owasp.csrfguard.unprotected.Images=%servletContext%/images/* org.owasp.csrfguard.action.Log=org.owasp.csrfguard.action.Log org.owasp.csrfguard.action.Log.Message=potential cross-site request forgery (CSRF) attack thwarted (user:%user%, ip:%remote_ip%, method:%request_method%, uri:%request_uri%, error:%exception_message%) org.owasp.csrfguard.action.Redirect=org.owasp.csrfguard.action.Redirect org.owasp.csrfguard.action.Redirect.Page=%servletContext%/error_page.jsp org.owasp.csrfguard.action.Rotate=org.owasp.csrfguard.action.Rotate org.owasp.csrfguard.TokenName=csrfToken org.owasp.csrfguard.SessionKey=csrfToken org.owasp.csrfguard.TokenLength=32 org.owasp.csrfguard.PRNG=SHA1PRNG org.owasp.csrfguard.PRNG.Provider=SUN org.owasp.csrfguard.Config.Print = true org.owasp.csrfguard.JavascriptServlet.sourceFile = WEB-INF/conf/csrfguard.js org.owasp.csrfguard.JavascriptServlet.domainStrict = true org.owasp.csrfguard.JavascriptServlet.cacheControl = private, maxage=28800 org.owasp.csrfguard.JavascriptServlet.refererPattern = .* org.owasp.csrfguard.JavascriptServlet.refererMatchDomain = true org.owasp.csrfguard.JavascriptServlet.injectIntoForms = true org.owasp.csrfguard.JavascriptServlet.injectGetForms = true org.owasp.csrfguard.JavascriptServlet.injectFormAttributes = true org.owasp.csrfguard.JavascriptServlet.injectIntoAttributes = true org.owasp.csrfguard.JavascriptServlet.xRequestedWith = OWASP CSRFGuard Project org.owasp.csrfguard.configOverlay.hierarchy = classpath:Owasp.CsrfGuard.properties, classpath:Owasp.CsrfGuard.overlay.properties org.owasp.csrfguard.configOverlay.secondsBetweenUpdateChecks = 60
Here is the snippet from my web.xml
<context-param> <param-name>Owasp.CsrfGuard.Config</param-name> <param-value>WEB-INF/conf/csrfguard.properties</param-value> </context-param> <context-param> <param-name>Owasp.CsrfGuard.Config.Print</param-name> <param-value>true</param-value> </context-param> <listener> <listener-class>org.owasp.csrfguard.CsrfGuardServletContextListener</listener-class> </listener> <listener> <listener-class>org.owasp.csrfguard.CsrfGuardHttpSessionListener</listener-class> </listener> <filter> <filter-name>CSRFGuard</filter-name> <filter-class>org.owasp.csrfguard.CsrfGuardFilter</filter-class> </filter> <filter-mapping> <filter-name>CSRFGuard</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>
When I start the application, and give its url, it loads the login page properly. And this is an unprotected page. Next when I hit login, it goes in to process the request. When I debug code, I can see tokenFromPages and tokenFromSession having values. But the variable tokenFromRequest is coming in as null. And since this is coming as null, it is throwing the "required token is missing from the request" exception. File: CsrfGuard.java Method: verifyPageToken Condition where the exception is being thrown:
if (tokenFromRequest == null) { /** FAIL: token is missing from the request **/ throw new CsrfGuardException("required token is missing from the request"); }
Could anyone help me please. Please let me know if you need any more information too.
Adding logs to show issue:
URL: http://localhost:8080/App1/Login.do?csrfToken=GQQD-MEJT
I clicked login on page, and below are the logs generated. I have no clue why it shows null for tokenFromRequest.
Aug 29, 2014 8:33:03 PM org.owasp.csrfguard.log.JavaLogger log INFO: CsrfGuard analyzing request /App1/Login.do tokenFromPages --> N92E-COOR tokenFromSession --> KLGU-DDRZ tokenFromRequest --> null Aug 29, 2014 8:33:03 PM org.owasp.csrfguard.log.JavaLogger log WARNING: potential cross-site request forgery (CSRF) attack thwarted (user:<anonymous>, ip:127.0.0.1, method:POST, uri:/App1/Login.do, error:required token is missing from the request) Aug 29, 2014 8:33:03 PM org.owasp.csrfguard.log.JavaLogger log INFO: CsrfGuard analyzing request /App1/error_page.jsp Aug 29, 2014 8:33:03 PM org.owasp.csrfguard.log.JavaLogger log INFO: CsrfGuard analyzing request /App1/Login.do tokenFromPages --> GQQD-MEJT tokenFromSession --> CD7O-C556 tokenFromRequest --> GQQD-MEJT