tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier>
Subject Re: Help regarding CSRF Filter in Tomcat 7
Date Fri, 16 Nov 2012 18:50:52 GMT
Mark Thomas wrote:
> On 16/11/2012 16:12, André Warnier wrote:
>> Mark Thomas wrote:
>>> On 16/11/2012 10:01, André Warnier wrote:
>>>> Vijaya Kumar wrote:
>>>>> Hi, I work on a web application that is vulnerable to CSRF(Cross Site
>>>>> Request Forgery) attack. Tomcat 7 has a CSRF prevention filter. I went
>>>>> through the description to configure this filter. This filter expects
>>>>> that we call HttpServletResponse#encodeRedirectURL(String) or
>>>>> HttpServletResponse#encodeURL(String). I see that in my application we
>>>>> don't use the above mentioned methods. Can you please let me know
>>>>> whether there is any other way of using this filter without making
>>>>> calls to encodeURL() or encodeRedirectURL()?
>>>>> To be precise, I am looking for a way to incorporate CSRF Filter in an
>>>>> already existing application that doesn't use
>>>>> HttpServletResponse#encodeRedirectURL(String) or
>>>>> HttpServletResponse#encodeURL(String).
>>>>> Any help in this regard is appreciated.
>>>> Hi.
>>>> I am a bit of a novice in this area, but as far as I understand what a
>>>> CSRF attack is
>>>> (, and what this
>>>> filter does, it seems to me at least that if your are not using
>>>> HttpServletResponse#encodeRedirectURL(String) or
>>>> HttpServletResponse#encodeURL(String) in your application, then this
>>>> filter would be unnecessary, and would not help anyway.
>>> Wrong.
>>> In order for the CSRF prevention filter to work, an application must run
>>> all URLs through encodeRedirectURL() or encodeURL(). If applications
>>> don't do this, the filter can't add the nonce to the URL that is used to
>>> provide the CSRF protection.
>> Well, that's essentially what I was saying. Or am I missing something
>> here ?
> Your statement that "if you are not using encodeRedirectURL() or
> encodeURL() in your application, then this filter would be unnecessary"
> is wrong. It implies that if you are not using those methods then you
> will not be at risk of a CSRF attack.

We're getting into semantics here. :-)
I posit that I never implied what you say here.
Let's ask the question another way : if the OP is not using encodeRedirectURL() or 
encodeURL() in his application, does the CSRF prevention filter help in any way to prevent

CSRF attacks on his application ?

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message