Cross site request Forgery

Similar Messages

• JSF 1.2 and CSRF (Cross Site Request Forgery) protection

  Hi All
  My webapp uses (among other technologies like JSP, Ajax, Dojo etc) JSF v1.2 on Webshere 7.0.
  I've been fixing security issues in the code recently - in particular Cross Site Request Forgery (CSRF) vulnerabilities. The suggested approach to combat CSRF is to embed a hidden unique token in your form (and also store this same token in the session). In the controller logic (i.e that handles the form's POST) we then check that the session and request token match. I've used this in my JSP's to combat CSRF successfullu. Basically I have a filter which executes before the form loads. This filter creates the unique token and stores in request and session and so on ..
  Now for JSF 1.2 ...
  I'm wondering how I do this in JSF v1.2 ? Would any one have an code samples or resource they could point me towards ? Is there a filter mechanism we can employ or some callback on the post ?
  One idea I had is that to populate to form with the hidden token I would do (in the form):
  <h:inputHidden id="jsfSecurityToken" value="#{myBean.securityToken}"/>
  In "myBean.java" I have a getSecurityToken method which
  a) creates the token
  b) stores it into the request
  c) stores it into the session
  BUT I don't know how/where on the post I can CHECK if these values match
  Page 40/41 of http://turbomanage.files.wordpress.com/2009/10/securing-jsf-applications-against-owasp-top-ten-color.pdf mentions "isPostBack" but I'm not sure how to use this.
  Any help would be great
  Thanks - Ronan

  A phase listener comes to mind. Check out this useful article:
  http://balusc.blogspot.com/2006/09/debug-jsf-lifecycle.html

• What are default Zend Session handling best practices to prevent Cross Site Request Forgery?

  I have enjoyed the David Powers book Adobe Dreamweaver CS5 with PHP:  Training from the Source - and have put many of the examples into practice.  I have a security related concern that may be tied to the Zend::Auth example in the book.  While this is installed an working on my site:
  <?php
  $failed = FALSE;
  if ($_POST) {
    if (empty($_POST['username']) || empty($_POST['password'])) {
      $failed = TRUE;
    } else {
      require_once('library.php');
      // check the user's credentials
      try {
        $auth = Zend_Auth::getInstance();
        $adapter = new Zend_Auth_Adapter_DbTable($dbRead, 'user', 'login', 'user_pass', 'sha1(?)');
        $adapter->setIdentity($_POST['username']);
        $adapter->setCredential($_POST['password']);
        $result = $auth->authenticate($adapter);
        if ($result->isValid()) {
          $storage = $auth->getStorage();
          $storage->write($adapter->getResultRowObject(array(
            'ID', 'login',  'user_first', 'user_last', 'user_role')));
          header('Location: /member/index.php');
          exit;
        } else {
          $failed = TRUE;
      } catch (Exception $e) {
        echo $e->getMessage();
  if (isset($_GET['logout'])) {
    require_once('library.php');
    try {
      $auth = Zend_Auth::getInstance();
      $auth->clearIdentity();
    } catch (Exception $e) {
      echo $e->getMessage();
  Apparently, there is  very limited protection against Cross Site Request Forgery, where the resulting SessionID could be easily hijacked?  I am using the Zend Community edition (I have 1.11.11).     I have an observation from a client that this authentication is not up to snuff. 
  To boil it down: 
  1.  Is there a Zend configuration file that might have some settings to upgrade the Session and or authentication security basics? I'm wondering specifically about the settings in /library/Zend/session.php? Ie secure the session against a changing user IP, and invoking some other session handling stuff (time-out etc). 
  2.  If I understand it correctly, "salting" won't help with this, unless it's added/checked via a hidden POST at login time? 
  Ideally, the man himself, David Powers would jump in here - but I'll take any help I can get!
  Thanks!

  Might ask them over here.
  http://forums.asp.net/1146.aspx/1?MVC
  Regards, Dave Patrick ....
  Microsoft Certified Professional
  Microsoft MVP [Windows]
  Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

• A Cross-site request forgery (CSRF) has been detected. Task=com.bea.consol

  On the BEA admin console and tryiing to install an ear from a remote location that is fairly large, we're seeing the following error:
  <A Cross-site request forgery (CSRF) has been detected. Task=com.bea.console.actions.app.install.Flow.uploadApp address=*.**.***.*** user=weblogic>
  The address contains an actual IP address.
  If we copy the same ear over to the server box and install, it works fine. If we remove some jars from the ear to decrease its size, it works fine.
  We are running a Weblogic 10.3.5 server. The ear that fails is 276MB. We can successfully install a 246MB ear. So the problem must arise somewhere between 250MB and 275MB.
  Has anyone seen this? Is this a known limitation for installing remote ear's?
  Any information is appreciated.

  A phase listener comes to mind. Check out this useful article:
  http://balusc.blogspot.com/2006/09/debug-jsf-lifecycle.html

• ERROR [AntiCsrfServletFilter] Potential CSRF(Cross-site Requ

  Hi,
  In User application, when I integrate my custom code to upload a file
  (.xls) using struts, we get following error:
  ERROR [AntiCsrfServletFilter] Potential CSRF(Cross-site Request
  Forgery) detected against
  /IDMProv/complianceRemediationAction.do/requestType=uploadAppData.
  Session has been logged out.
  How can we bypass AntiCsrfServletFilter filter to upload the file using
  my custom code.
  Please share if anybody has some idea. It's urgent!!!
  Thanks
  Vartika Sanat
  Technical Consultant
  9958022664
  vartika's Profile: http://forums.novell.com/member.php?userid=3010
  View this thread: http://forums.novell.com/showthread.php?t=401004

  vartika wrote:
  >
  > Hi,
  >
  > In User application, when I integrate my custom code to upload a file
  > (.xls) using struts, we get following error:
  >
  > ERROR [AntiCsrfServletFilter] Potential CSRF(Cross-site Request
  > Forgery) detected against
  > /IDMProv/complianceRemediationAction.do/requestType=uploadAppData.
  > Session has been logged out.
  >
  > How can we bypass AntiCsrfServletFilter filter to upload the file
  > using my custom code.
  >
  > Please share if anybody has some idea. It's urgent!!!
  If its urgent I suggest you open a SR and also this has nothing to do
  with access manager. Try posting it in the userapp forum.
  Cheers,
  Edward

• I am working on Security scan(to avoid cross site forgery) with the CSRF approach of tomcat(apache-tomcat-6.0.32) but I am getting following issue with firefox:

  I am working on Security scan(to avoid cross site forgery) with the CSRF approach of tomcat(apache-tomcat-6.0.32) but I am getting following issue with firefox:
  1. Firefox is not supporting CSRF provided by tomcat in a proper way firefox creating multiple sessions.
  2. Whenever any exception (like JSP exception) comes on page. Firefox redirects it to CSRFPreventionFilter and this filter creates new session.
  3. Sometimes while traversing through application also CSRFPreventionFilter filter creates new session.

  I seem to have fixed it by putting <div  class="clearfloat"></div> after the navigation bar?

• Due to the presence of characters known to be used in Cross Site Scripting

  I am getting following error when I try to send single quote as part of URL. I tried javascript escape to encode the URL. But still getting same error. Does anybody know workaround for the issue. Thanks
  Due to the presence of characters known to be used in Cross Site Scripting attacks, access is forbidden. This web site does not allow Urls which might include embedded HTML tags.
  403: Access Forbidden
  Your client is not allowed to access the requested object

  FYI. We are using IIS Webserver and Weblogic Appserver.
  When the page is accessed through Weblogic , cross site script does not occur. It happens when the page is rendered via IIS.

• Publish Page Content-Cross Site Publishing in SharePoint Online

  Is it possible to get Authoring Site's Specific Page's Content/html content (Live in Page Library of Authoring Site and saved as a Catalog) by a Content Search web part added to the Publishing site's page? 
  (Please note that these sites created in SharePoint 2013 Online, Authoring Site activated Cross site Publishing feature and created using team site template, Publishing site created using Publishing Portal template)

  Hi Gihan,
  Glad to hear your issue solved and thanks for your sharing! It is helpful for others who will meet the same issue.
  Best Regards,
  Eric
  Eric Tao
  TechNet Community Support

• DOM Based Cross-Site Scripting issue in RoboHelp 10

  We're using a WebHelp system originally deplyed using RoboHelp 9.0.2.271, and a recent security scan revealed the DOM based cross-site scripting issue.
  I recently upgraded to RoboHelp 10, migrated my help system to this version, and redeployed the system, but our security scan is still detecting the cross-scripting vulnerability in WebHelp. Wasn't this issue resolved in RoboHelp 10?
  Thanks

  Hi,
  I’m not a security expert, but this script reads the URL of the current topic and redirects to the current topic with a bookmark. This is needed for when the same topic is used in multiple locations in the TOC.
  I’ll ask around about this security issue.
  Greet,
  Willam

• Cross-site scripting vulnerability RoboHelp 10 version

  Has the cross-site scripting vulnerability been addressed in the RoboHelp 10 version

  To the best of my knowledge it was addressed in Rh9. Rh10 has an HTML5 output option that does not use frames.
  However, if security is a concern, then only a security expert can give you the assurance you require.
  Personally I have yet to hear of webhelp being used maliciously but that does not mean it hasn't happened.
  See www.grainge.org for RoboHelp and Authoring tips
  @petergrainge

• JsessionID Cross Site Sccripting Bug

  Hacker Safe Found the following cross site scripting issue on
  our server.
  index.cfm?CFID=6766970&CFTOKEN=32892658&jsessionid=4c3035dcfc2d1
  f43303b%3F%3E%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3
  E%3C%22%3
  D1
  The Global protect is on, and the patch is applied, but still
  the javascript
  executes.
  We have corrected it using <cfif
  #UrlDecode("#cgi.QUERY_STRING#")# contains "<"> but I would
  like to know if there is a patch / hotfix for this

  cafebritt wrote:
  > Hacker Safe Found the following cross site scripting
  issue on our server.
  >
  >
  index.cfm?CFID=6766970&CFTOKEN=32892658&jsessionid=4c3035dcfc2d1
  >
  f43303b%3F%3E%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3
  > E%3C%22%3
  > D1
  >
  > The Global protect is on, and the patch is applied, but
  still the javascript
  > executes.
  >
  > We have corrected it using <cfif
  #UrlDecode("#cgi.QUERY_STRING#")# contains
  > "<"> but I would like to know if there is a patch
  / hotfix for this
  You can patch this yourself :) The regular expressions that
  are used by
  the Global Script Protect function are located in the
  neo-security.xml
  file. Just update them.
  Since this is a user-to-user forum and not a user-to-adobe
  forum I would
  recommend you file a bugreport at
  http://adobe.com/go/wish/
  Jochem
  Jochem van Dieten
  Adobe Community Expert for ColdFusion

• Cross-site Scripting Vulnerability OAS-10g/10.1.2.0.0 OHS

  Has anyone confronted the Cross-site scripting Vulnerability with 10g and OHS 10.1.2?
  We are about to put our first APEX box into production, but we need to fix this vulnerability first.
  I did some searching around but failed to come up with anything useful. It could be my searching sucked, too.
  Any thoughts / help / ideas would be greatly appreciated.
  Thanks.

  Hi,
  Do you get this error when you try to run forms configured using OAS 10g 10.2.0.2.
  We run a Web application using OAS 10g 10.2.0.2 and after leaving the application idle, more than half an hour, ora-12152 is displayed and the application is in a deadlock.
  Can you please suggest any solution for the same.
  Should the SQLNET.AUTHENTICATION_SERVICES= (NTS) be commented in sqlnet.ora file.
  Sridharrs

• How to configure CSWP on Category page to show the Published Catalog-item page on Publishing site in a Cross Site Publishing scenario?

  I have created a Cross Site Publishing Environment in SharePoint Online. After connected
  to my catalog. 2 pages automatically created. But in "Category" page, if i click on an item it will bring me to the original path/item located in Authoring site. How to configure Content Search Web Part on Category page to show the Published Catalog-item
  page on Publishing site?
  Can we do this by changing the property mappings?

  Hi,
  According to my understanding, you want users to be redirected to pages in the current site instead of the source page of the search results in a Content Search Web
  Part.
  By default, the hyperlinks of the search results in a Content Search Web Part will point to the source page where the data comes from, when the hyperlink of each result
  is clicked, user will be redirected to the corresponding source page.
  If the data comes from other sites, what page do you want to display when user clicks a search result in the Content Search Web Part?
  Property Mappings can help to control the content of each part of a display template, however, there seems no such property in the search result can help to redirect
  to the pages of the current site, thus, it might not be able to meet your requirement.
  More information about customizing the Content Search Web Part:
  https://www.martinhatch.com/2013/02/customising-cbswp-part1.html
  Best regards,
  Patrick
  Patrick Liang
  TechNet Community Support

• Cross Site Publishing in SharePoint Online

  I was asked to test Cross Site Publishing features in SharePoint 2013 Online. I saved the Authoring site collection's (Used Team Site's Template since Product Catalog Template not avialable in SP Online) Pages library as a Catalog. When I connected that
  catalog in my Publishing site collection, 2 pages created automatically. Category Page is showing the content, but CatelogItem page is empty. How can I configure Content Search Web Part to show the Page Content of the Authoring Sites's page?
  Can we show Authoring sites Pages libraries page content on the publishing site?
  Is this possible in SharePoint Online Cross Site Publishing?

  Hi,
  Thanks for sharing!
  Best Regards
  Dennis Guo
  TechNet Community Support

• Cross site scripting errors in RoboHelp 8.0

  We are using Robohelp 8.02, generating webhelp for a web application. Development just started to use Fortify to identify security vulnerabilities. The Fortify software found 17 Robohelp htm files with cross-site scripting security holes. We are NOT using RoboHelp Server 8.
  Before creating this posting, I searched the forums and found one post from Feb 2010 (Beware -serious - cross site scripting errors in Robohelp 8.0).
  From reading that posting, it appears that an Adobe engineer was involved----I'm not clear on the final outcome for this issue.
  Any additional information on the final resolve for this issue would be helpful.
  Thanks,
  Beware - serious breach - cross site scripting errors in RoboHelp 8.0

  The previous poster indicated that Tulika, who I can confirm is an Adobe engineer, stated "when she reviewed the code that was triggering the Fortify cross site scripting errors, she came to the conclusion that it was not actually harmful." The poster also indicated their opinion was the other errors were minor.
  That seems clear enough so I wonder what value is anything that anyone here can add? The forum responses are from other users and I would have thought any further assurance beyond the above is something your management would want to come from Adobe.
  I have not seen anything on these forums indicating that any attack has been triggered.
  See www.grainge.org for RoboHelp and Authoring tips
  @petergrainge