0

I am trying to implement HDIV with an application using struts 1.3.8. I have added the dependencies in pom file and listener, filter in web.xml file.

The token _HDIV_STATE_ is injected in every page, link.. So to test if it is working as expected against CSRF attacks, I made a small html page outside the application that sends data to the application to modify some data in order to simulate a CSRF attack.

The test is unfortunatly a success because the target data were modified. When I check the logs, it seems that HDIV detects that request does not contain _HDIV_STATE_ but it does not cancel it and redirecting to the errorpage or something else.

Am I wrong in my configuration or simply I didn’t understand what HDIV does when the token not exist in the request ?

Thanks for your help

pom.xml:

<dependency>
            <groupId>org.hdiv</groupId>
            <artifactId>hdiv-config</artifactId>
            <version>2.1.12</version>
</dependency>
<dependency>
            <groupId>org.hdiv</groupId>
            <artifactId>hdiv-struts-1</artifactId>
            <version>2.1.12</version>
</dependency>
<dependency>
            <groupId>org.hdiv</groupId>
            <artifactId>hdiv-jstl-taglibs-1.2</artifactId>
            <version>2.1.12</version>
</dependency>

web.xml

<listener>
    <listener-class>org.hdiv.listener.InitListener</listener-class>
</listener>
<filter>
    <filter-name>ValidatorFilter</filter-name>
    <filter-class>org.hdiv.filter.ValidatorFilter</filter-class>
</filter>
<filter-mapping>
    <filter-name>ValidatorFilter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

<jsp-config>
<taglib>
    <taglib-uri>/WEB-INF/tld/struts-html-el.tld</taglib-uri>
    <taglib-location>/WEB-INF/tld/hdiv-html-el.tld</taglib-location>
</taglib>

<taglib>
    <taglib-uri>/WEB-INF/tld/struts-logic-el.tld</taglib-uri>
    <taglib-location>/WEB-INF/tld/hdiv-logic-el.tld</taglib-location>
</taglib>

<taglib>
    <taglib-uri>/WEB-INF/tld/c.tld</taglib-uri>
    <taglib-location>/WEB-INF/tld/hdiv-c.tld</taglib-location>
</taglib>
</jsp-config>

hdiv-config.hml

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans" 
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
       xmlns:hdiv="http://www.hdiv.org/schema/hdiv" 
       xsi:schemaLocation="http://www.springframework.org/schema/beans 
                           http://www.springframework.org/schema/beans/spring-beans-3.2.xsd 
                           http://www.hdiv.org/schema/hdiv 
                           http://www.hdiv.org/schema/hdiv/hdiv.xsd">

    <hdiv:config excludedExtensions="css,png,gif,jpeg,jpg,js" errorPage="/error.jsp" 
                 maxPagesPerSession="2" debugMode="true">
        <hdiv:sessionExpired loginPage="/index.jsp" homePage="/"/>
        <hdiv:startPages>/index.jsp</hdiv:startPages>
    </hdiv:config>

</beans>
kkung
  • 715
  • 4
  • 10
  • 18

1 Answers1

4

You have debugMode activated in your hdiv-config.xml:

From HDIV Reference Documentation:

HDIV offers a debug execution mode in order to apply HDIV in production environments without any functional or integration problems. In other words HDIV process and validates all the requests but doesn't change original execution of the request, just logging the possible attack but without stopping it.

Try disabling debugMode.

Fernando Lozano (HDIV Team)

Fernando Lozano
  • 352
  • 2
  • 11