OWASP - CSRFGuard 3.0
Overview
Used to eliminate cross site request forgery issue in web applicationImplementation
1) Add CSRF library dependency in pom.xml2) Add CSRF filters and listeners in web.xml
3) Add CSRF properties file in resources folder (class path)
4) Add taglib and CSRF token for forms in jsp file
5) Add script in case of ajax call jsp file
Step 1
Add CSRF library dependency in pom.xml to get Owasp.CsrfGuard.jar file in application's classpath<dependency>
<groupId>org.owasp</groupId>
<artifactId>csrfguard</artifactId>
<version>3.0.0</version>
</dependency>
Step 2
Add CSRF filters and listeners in web.xml.To enable CSRF Ajax support copy Owasp.CsrfGuard.js from jar to WEB-INF folder
<listener>
<listener-class>org.owasp.csrfguard.CsrfGuardServletContextListener</listener-class>
</listener>
<listener>
<listener-class>org.owasp.csrfguard.CsrfGuardHttpSessionListener</listener-class>
</listener>
<context-param>
<param-name>Owasp.CsrfGuard.Config</param-name>
<param-value>WEB-INF/Owasp.CsrfGuard.properties</param-value>
</context-param>
<context-param>
<param-name>Owasp.CsrfGuard.Config.Print</param-name>
<param-value>true</param-value>
</context-param>
<filter>
<filter-name>CSRFGuard</filter-name>
<filter-class>org.owasp.csrfguard.CsrfGuardFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CSRFGuard</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- For CSRF Ajax support-->
<servlet>
<servlet-name>JavaScriptServlet</servlet-name>
<servlet-class>org.owasp.csrfguard.servlet.JavaScriptServlet</servlet-class>
<init-param>
<param-name>source-file</param-name>
<param-value>WEB-INF/Owasp.CsrfGuard.js</param-value>
</init-param>
<init-param>
<param-name>inject-into-forms</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>inject-into-attributes</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>domain-strict</param-name>
<param-value>false</param-value>
</init-param>
<init-param>
<param-name>referer-pattern</param-name>
<param-value>.*localhost.*</param-value>
</init-param>
</servlet>
<servlet-mapping>
<servlet-name>JavaScriptServlet</servlet-name>
<url-pattern>/JavaScriptServlet</url-pattern>
</servlet-mapping>
Step 3
Add CSRF properties file to resources folder and configure parameters.Reference : https://www.owasp.org/index.php/CSRFGuard_3_Configuration
org.owasp.csrfguard.Logger=org.owasp.csrfguard.log.ConsoleLogger
org.owasp.csrfguard.ProtoctedMethod=POST,PUT,DELETE
org.owasp.csrfguard.TokenPerPage=true
org.owasp.csrfguard.Rotate=false
org.owasp.csrfguard.Ajax=true
org.owasp.csrfguard.action.Log=org.owasp.csrfguard.action.Log
org.owasp.csrfguard.Log.Message=potential cross-site request forgery attack thwarted(user %user%, ip %remote_ip%)
org.owasp.csrfguard.Redirect=org.owasp.csrfguard.action.Redirect
org.owasp.csrfguard.TokenName=OWASP_CSRFTOKEN
org.owasp.csrfguard.SessionKey=OWASP_CSRFTOKEN
org.owasp.csrfguard.TokenLength=32
org.owasp.csrfguard.PRNG=SHA1PRNG
org.owasp.csrfguard.Protect=true
org.owasp.csrfguard.unprotected.index=/contectpath/error.jsp
Step 4
Add taglib and CSRF token for forms in jsp file.Reference : https://www.owasp.org/index.php/CSRFGuard_3_Token_Injection
<%@ taglib uri="http://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project/Owasp.CsrfGuard.tld" prefix="csrf" %>
<form name="test1" action="protect.html">
<input type="text" name="text" value="text"/>
<input type="submit" name="submit" value="submit"/>
<input type="hidden" name="<csrf:token-name/>" value="<csrf:token-value/>"/>
</form>
Step 5
Add script in case of ajax call jsp file. In this case no need to add taglib and hidden token to form as using script.<script src="/contextpath/JavaScriptServlet"></script>
Reference
https://cwe.mitre.org/data/definitions/352.htmlhttps://www.owasp.org/index.php/CSRFGuard_3_User_Manual