tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier ...@ice-sa.com>
Subject Re: Help regarding CSRF Filter in Tomcat 7
Date Fri, 16 Nov 2012 16:12:17 GMT
Mark Thomas wrote:
> On 16/11/2012 10:01, André Warnier wrote:
>> Vijaya Kumar wrote:
>>> Hi, I work on a web application that is vulnerable to CSRF(Cross Site
>>> Request Forgery) attack. Tomcat 7 has a CSRF prevention filter. I went
>>> through the description to configure this filter. This filter expects
>>> that we call HttpServletResponse#encodeRedirectURL(String) or
>>> HttpServletResponse#encodeURL(String). I see that in my application we
>>> don't use the above mentioned methods. Can you please let me know
>>> whether there is any other way of using this filter without making
>>> calls to encodeURL() or encodeRedirectURL()?
>>> To be precise, I am looking for a way to incorporate CSRF Filter in an
>>> already existing application that doesn't use
>>> HttpServletResponse#encodeRedirectURL(String) or
>>> HttpServletResponse#encodeURL(String).
>>> Any help in this regard is appreciated.
>> Hi.
>> I am a bit of a novice in this area, but as far as I understand what a
>> CSRF attack is
>> (http://en.wikipedia.org/wiki/Cross-site_request_forgery), and what this
>> filter does, it seems to me at least that if your are not using
>> HttpServletResponse#encodeRedirectURL(String) or
>> HttpServletResponse#encodeURL(String) in your application, then this
>> filter would be unnecessary, and would not help anyway.
> 
> Wrong.
> 
> In order for the CSRF prevention filter to work, an application must run
> all URLs through encodeRedirectURL() or encodeURL(). If applications
> don't do this, the filter can't add the nonce to the URL that is used to
> provide the CSRF protection.
> 

Well, that's essentially what I was saying. Or am I missing something here ?

> Note: That filter is very generic and works for simple applications
> (e.g. Tomcat's HTML Manager app) but is likely to be quite tricky to set
> up for complex applications.
> 



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message