I need to implement a solution to prevent CSRF attacks in an application based on struts 1 framework. On the web, people suggest these kind of solutions:
Currently I don’t know which one fit best for this problem. So can you give me your opinion on those solutions to direct my choice and if possible with an example or suggest other solution.
Thanks for help
If you are only concerned about CSRF and not about other OWASP security issues, I would suggest you to go for Struts built in support i.e the Synchronizer Token Pattern instead of using any external libraries.
An excerpt on Synchronizer pattern from Struts Survival guide.
To understand how the Synchronizer Token works, some background about built-in functionalities in the Action class is required. The Action class has a method called saveToken() whose logic is as follows:
HttpSession session = request.getSession(); String token = generateToken(request); if (token != null) { session.setAttribute(Globals.TRANSACTION_TOKEN_KEY, token); }The method generates a random token using session id, current time and a MessageDigest and stores it in the session using a key name org.apache.struts.action.TOKEN (This is the value of the static variable TRANSACTION_TOKEN_KEY in org.apache.struts.Globals class. The Action class that renders the form invokes the saveToken() method to create a session attribute with the above name. In the JSP, you have to use the token as a hidden form field as follows:
<input type="hidden" name="<%=org.apache.struts.taglib.html.Constants.TOKEN_KEY%>" value="<bean:write name="<%=Globals.TRANSACTION_TOKEN_KEY%>"/>">The embedded <bean:write> tag shown above, looks for a bean named org.apache.struts.action.TOKEN (which is the the value of Globals. TRANSACTION_TOKEN_KEY ) in session scope and renders its value as the value attribute of the hidden input variable. The name of the hidden input variable is org.apache.struts.taglib.html.TOKEN (This is nothing but the value of the static variable TOKEN_KEY in the class org.apache.struts.taglib.html.Constants). When the client submits the form, the hidden field is also submitted. In the Action that handles the form submission (which most likely is different from the Action that rendered the form), the token in the form submission is compared with the token in the session by using the isTokenValid() method. The method compares the two tokens and returns a true if both are same. Be sure to pass reset=”true” in the isTokenValid() method to clear the token from session after comparison. If the two tokens are equal, the form was submitted for the first time. However, if the two tokens do not match or if there is no token in the session, then it is a duplicate submission and handle it in the manner acceptable to your users.
Using HDIV you can prevent CSRF attacks and not only that. You can avoid 90% of OWASP Top 10. So, if you want to develop a more secure software, I recommend you to use HDIV.
CSRFGuard is a good library to prevent CSRF but only for that. As you know, learn multiple products takes time and in this case more complete solution is better if you can avoid more types of attacks.
About Struts saveToken and isTokenValid methods, I think the same. It is a limited functionality and I'd on a more completed product.
