This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "CSRFGuard 2.0 Installation"

From OWASP
Jump to: navigation, search
Line 5: Line 5:
 
'''Quick Steps:'''
 
'''Quick Steps:'''
  
:# Copy OWASP-CSRFGuard-2.0.jar and htmlparser.jar to a directory accessible by your container.
+
:# Copy ${PROJECT}/dist/OWASP-CSRFGuard-2.0.jar and ${PROJECT}/lib/htmlparser.jar to a directory accessible by your container.
 
:# Add a 'filter' entry to your web deployment descriptor.
 
:# Add a 'filter' entry to your web deployment descriptor.
 
:# Add a mapping for the newly created filter entry.
 
:# Add a mapping for the newly created filter entry.

Revision as of 21:41, 20 October 2007

Overview

This page details all of the steps necessary to deploy CSRFGuard 2.x in your web application.

Quick Steps:

  1. Copy ${PROJECT}/dist/OWASP-CSRFGuard-2.0.jar and ${PROJECT}/lib/htmlparser.jar to a directory accessible by your container.
  2. Add a 'filter' entry to your web deployment descriptor.
  3. Add a mapping for the newly created filter entry.

Add OWASP CSRFGuard To ClassPath

In order for your web application container to invoke the OWASP CSRFGuard filter, it will need to be accessible in the classpath. If you are working with a single application, we recommend placing OWASP CSRFGuard and the htmlparser.jar dependency within the WEB-INF/lib folder of your web application project. If you have multiple projects (ex. an EAR) that make use of the filter, we recommend placing OWASP CSRFGuard and the htmlparser.jar dependency in a single library folder that is accessible by your container. For example, if our application container were Tomcat and we had multiple applications making use of OWASP CSRFGuard, we would place the Jar file in the tomcat/common/lib directory. OWASP CSRFGuard can now be utilized by every application deployed by the container.

Update Deployment Descriptor

Java EE filters provide the ability to intercept, view, and modify both the request and associated response for the requesting client. In order for our application to make use of the OWASP CSRFGuard filter, we must modify the application's web.xml file. First we must declare the filter and any initialization parameters that it may accept. Currently, the OWASP CSRFGuard 2.x series accepts 5 initialization parameters. These parameters are as follows:

error-page     -  The page an end user is directed to when a CSRF attack is detected
token-name     -  The parameter name of the unique request token. The default value is OWASP_CSRFTOKEN.
token-length   -  The length of the unique request token. The default value is 16.
prng-algorithm -  The name of the PRNG used to generate the random token. The default value is SHA1PRNG
debug          -  Whether or not to display debug information. The default value is false.

The following is a sample entry used to test CSRFGuard in WebGoat:

<filter>
  <filter-name>CSRFGuard</filter-name>
  <filter-class>org.owasp.csrf.CSRFGuard</filter-class>
    <init-param>
      <param-name>error-page</param-name>
      <param-value>attack</param-value>
    </init-param>
    <init-param>
      <param-name>token-name</param-name>
      <param-value>OWASP_CSRFTOKEN</param-value>
    </init-param>
    <init-param>
      <param-name>token-length</param-name>
      <param-value>32</param-value>
    </init-param>
    <init-param>
      <param-name>prng-algorithm</param-name>
      <param-value>SHA1PRNG</param-value>
    </init-param>
    <init-param>
      <param-name>debug</param-name>
      <param-value>true</param-value>
    </init-param>
</filter>

After declaring the filter in the descriptor, we must specify what resources this filter should handle. We can instruct the filter to handle requests for entire servlets or specific URL patterns. The following example instructs the OWASP CSRFGuard to handle all requests to the 'WebGoat' servlet as well as any requests ending in a .jsp:

<filter-mapping>
 <filter-name>CSRFGuard</filter-name>
 <servlet-name>WebGoat</servlet-name>
</filter-mapping>
<filter-mapping>
 <filter-name>CSRFGuard</filter-name>
 <url-pattern>*.jsp</url-pattern>
</filter-mapping>