0

I'm very new to web security and I'm trying to implement CSRF Gaurd on my web application.

I have done all the required configuration on my web application and I can see that token (FWJY-N767-M4HG-DHXT-WCE4-5J08-MV4G-LNV4) is getting generated/injected when I do a ajax call or when a html page loads. I have notice that token is same on every request.

However, I'm not able to validate token at server side. According to my research it should go to CsrfGuardFilter.java class and validate the token but when I'm debugging I can see that it is not going to CsrfGuardFilter.java class and it not validating the request based on token. I'm getting the response for the requests which doesn't contain token also.

Can someone guide me to implement CSRF Guard properly on my web application. Thanks for your help.

SK.
  • 4,174
  • 4
  • 30
  • 48

2 Answers2

0

In my web application I'm using GWT to generate front-end JavaScript after doing bit of research on various forum I have figured out that because of GWT generated JavaScript code token was not getting injected into any ajax call. So to implement CSRF guard over GWT code I need to inject the csrf guard script before the *.nocache.js script.

Helpful link

Community
  • 1
  • 1
SK.
  • 4,174
  • 4
  • 30
  • 48
0

you have to declare CsrfGuardFilter, CsrfGuardServletContextListener and CsrfGuardHttpSessionListener in your web.xml in the correct location. In my application, I placed it after the session was created. Also, you have to define mapping for JavaScriptServlet.

NOTE : I used owasp csrfguard 3.1.0 in my application and I only had to define mappings for the above mentioned components. For older versions, you might have to define more properties/components.

I took help from the following example for my implementation : https://github.com/aramrami/OWASP-CSRFGuard

I hope you got your issue resolved and my answer will help someone in future.

Sarneet Kaur
  • 2,860
  • 1
  • 14
  • 12