This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "CSRFGuard 3 User Manual"

From OWASP
Jump to: navigation, search
 
(24 intermediate revisions by one other user not shown)
Line 1: Line 1:
 
= Overview =
 
= Overview =
  
Welcome to the OWASP CSRFGuard 3 User Manual! The purpose of this article is to provide the user with guidance on obtaining, installing, deploying, and developing with the OWASP CSRFGuard library.
+
Welcome to the OWASP CSRFGuard 3 User Manual! The purpose of this article is to provide the user with guidance on obtaining, installing, deploying, and developing with the OWASP CSRFGuard library. The author's goal was to keep the User Manual informative, use to understand, and concise. If you find that one or more aspects of this document does not adhere to these goals, please me know at eric dot sheridan at owasp dot org.
  
 
= Download =
 
= Download =
Line 7: Line 7:
 
Users can download the latest release of OWASP CSRFGuard using one of the following links:
 
Users can download the latest release of OWASP CSRFGuard using one of the following links:
  
:[http://www.example.com Click here] to download the latest stable binary and associated configuration files
+
Download and build the source at - https://github.com/aramrami/OWASP-CSRFGuard
:[http://www.example.com Click here] to download the latest stable archive of the project source code
 
  
 
= Installation =
 
= Installation =
  
Installation of OWASP CSRFGuard 3 is very straight forward requiring two simple steps. First, you must copy the Owasp.CsrfGuard.jar file and map the CsrfGuardFilter in your application's deployment descriptor (web.xml). You'll need to make sure you tell CsrfGuardFilter the location of your CSRFGuard properties file via a JavaEE Filter init-param directive. Please refer to the following sub-sections for more detailed information on each of the aforementioned installation steps.
+
Installation of OWASP CSRFGuard 3 is very straight forward requiring three simple steps:
  
== Copy Owasp.CsrfGuard.jar to Classpath ==
+
:# Copy the Owasp.CsrfGuard.jar file to your application's classpath
 +
:# Declare CsrfGuard in your application's deployment descriptor (web.xml)
 +
:# Configure the Owasp.CsrfGuard.properties file as you see fit
  
The first thing you need to do is copy the Owasp.CsrfGuard.jar library into your classpath. The most common classpath location to place Owasp.CsrfGuard.jar is within the ''lib'' directory of the web application's ''WEB-INF'' folder. OWASP CSRFGuard 3 has no additional dependencies outside of the traditional JavaEE runtime environment.
+
[[CSRFGuard_3_Installation | Click here]] for more detailed information regarding the installation of OWASP CSRFGuard.
  
== Declare and Map the CsrfGuardFilter in web.xml ==
+
= Configuration =
  
After placing Owasp.CsrfGuard.jar in your application's classpath, you'll need to declare and map the CsrfGuardFilter in web.xml. All CSRF token verification logic is encompassed within the stand-alone filter. The following web.xml snippet was extracted from the [http://www.tbd.com Owasp.CsrfGuard.Test] web application:
+
The minimum configuration settings that users should review include:
  
<filter>
+
:* Default new token landing page (org.owasp.csrfguard.NewTokenLandingPage)
<filter-name>CSRFGuard</filter-name>
+
:* Support for Ajax and XMLHttpRequest (org.owasp.csrfguard.Ajax)
<filter-class>org.owasp.csrfguard.CsrfGuardFilter</filter-class>
+
:* URI resources that should not be protected (org.owasp.csrfguard.unprotected.*)
<init-param>
+
:* Actions executed when an attack is detected (org.owasp.csrfguard.action.*)
<param-name>config</param-name>
 
<param-value>WEB-INF/Owasp.CsrfGuard.properties</param-value>
 
</init-param>
 
<init-param>
 
<param-name>print-config</param-name>
 
<param-value>true</param-value>
 
</init-param>
 
</filter>
 
  
 +
[[CSRFGuard_3_Configuration | Click here]] for more information regarding the configuration of OWASP CSRFGuard.
  
 +
= Token Injection =
  
 +
Users of OWASP CSRFGuard can inject prevention tokens into HTML using two strategies:
  
#Tell CSRFGuard the location of the properties file
+
:* JavaScript DOM Manipulation - largely automated process requiring minimal effort and is ideal for most web applications
 
+
:* JSP Tag Library - provides fine grained strategy ideal for situations where automated DOM manipulation is insufficient.
 
 
 
 
= Deployment =
 
 
 
== Landing Page ==
 
 
 
== Ajax Support ==
 
  
== Referrer Checking ==
+
[[CSRFGuard_3_Token_Injection | Click here]] for more information regarding the injection of CSRF prevention tokens within your application.
  
== Unprotected Pages ==
+
= Known Issues =
 
 
== Response to Attack: Actions ==
 
 
 
== Miscellaneous Configurations ==
 
 
 
= Token Injection =
 
  
== JSP Tag Library ==
+
The following is a quick bulleted list of known issues within the current release:
  
== Dynamic JavaScript ==
+
:* No known way to inject CSRF prevention tokens into setters of document.location (ex: document.location="http://www.owasp.org";)
  
 
[[Category:OWASP_CSRFGuard_Project]]
 
[[Category:OWASP_CSRFGuard_Project]]

Latest revision as of 11:37, 23 January 2014

Overview

Welcome to the OWASP CSRFGuard 3 User Manual! The purpose of this article is to provide the user with guidance on obtaining, installing, deploying, and developing with the OWASP CSRFGuard library. The author's goal was to keep the User Manual informative, use to understand, and concise. If you find that one or more aspects of this document does not adhere to these goals, please me know at eric dot sheridan at owasp dot org.

Download

Users can download the latest release of OWASP CSRFGuard using one of the following links:

Download and build the source at - https://github.com/aramrami/OWASP-CSRFGuard

Installation

Installation of OWASP CSRFGuard 3 is very straight forward requiring three simple steps:

  1. Copy the Owasp.CsrfGuard.jar file to your application's classpath
  2. Declare CsrfGuard in your application's deployment descriptor (web.xml)
  3. Configure the Owasp.CsrfGuard.properties file as you see fit

Click here for more detailed information regarding the installation of OWASP CSRFGuard.

Configuration

The minimum configuration settings that users should review include:

  • Default new token landing page (org.owasp.csrfguard.NewTokenLandingPage)
  • Support for Ajax and XMLHttpRequest (org.owasp.csrfguard.Ajax)
  • URI resources that should not be protected (org.owasp.csrfguard.unprotected.*)
  • Actions executed when an attack is detected (org.owasp.csrfguard.action.*)

Click here for more information regarding the configuration of OWASP CSRFGuard.

Token Injection

Users of OWASP CSRFGuard can inject prevention tokens into HTML using two strategies:

  • JavaScript DOM Manipulation - largely automated process requiring minimal effort and is ideal for most web applications
  • JSP Tag Library - provides fine grained strategy ideal for situations where automated DOM manipulation is insufficient.

Click here for more information regarding the injection of CSRF prevention tokens within your application.

Known Issues

The following is a quick bulleted list of known issues within the current release:

  • No known way to inject CSRF prevention tokens into setters of document.location (ex: document.location="http://www.owasp.org";)
Retrieved from "https://wiki.owasp.org/index.php?title=CSRFGuard_3_User_Manual&oldid=166363"