ERROR [AntiCsrfServletFilter] Potential CSRF(Cross-site Requ

Similar Messages

• JSF 1.2 and CSRF (Cross Site Request Forgery) protection

  Hi All
  My webapp uses (among other technologies like JSP, Ajax, Dojo etc) JSF v1.2 on Webshere 7.0.
  I've been fixing security issues in the code recently - in particular Cross Site Request Forgery (CSRF) vulnerabilities. The suggested approach to combat CSRF is to embed a hidden unique token in your form (and also store this same token in the session). In the controller logic (i.e that handles the form's POST) we then check that the session and request token match. I've used this in my JSP's to combat CSRF successfullu. Basically I have a filter which executes before the form loads. This filter creates the unique token and stores in request and session and so on ..
  Now for JSF 1.2 ...
  I'm wondering how I do this in JSF v1.2 ? Would any one have an code samples or resource they could point me towards ? Is there a filter mechanism we can employ or some callback on the post ?
  One idea I had is that to populate to form with the hidden token I would do (in the form):
  <h:inputHidden id="jsfSecurityToken" value="#{myBean.securityToken}"/>
  In "myBean.java" I have a getSecurityToken method which
  a) creates the token
  b) stores it into the request
  c) stores it into the session
  BUT I don't know how/where on the post I can CHECK if these values match
  Page 40/41 of http://turbomanage.files.wordpress.com/2009/10/securing-jsf-applications-against-owasp-top-ten-color.pdf mentions "isPostBack" but I'm not sure how to use this.
  Any help would be great
  Thanks - Ronan

  A phase listener comes to mind. Check out this useful article:
  http://balusc.blogspot.com/2006/09/debug-jsf-lifecycle.html

• A Cross-site request forgery (CSRF) has been detected. Task=com.bea.consol

  On the BEA admin console and tryiing to install an ear from a remote location that is fairly large, we're seeing the following error:
  <A Cross-site request forgery (CSRF) has been detected. Task=com.bea.console.actions.app.install.Flow.uploadApp address=*.**.***.*** user=weblogic>
  The address contains an actual IP address.
  If we copy the same ear over to the server box and install, it works fine. If we remove some jars from the ear to decrease its size, it works fine.
  We are running a Weblogic 10.3.5 server. The ear that fails is 276MB. We can successfully install a 246MB ear. So the problem must arise somewhere between 250MB and 275MB.
  Has anyone seen this? Is this a known limitation for installing remote ear's?
  Any information is appreciated.

  A phase listener comes to mind. Check out this useful article:
  http://balusc.blogspot.com/2006/09/debug-jsf-lifecycle.html

• Cross site scripting errors in RoboHelp 8.0

  We are using Robohelp 8.02, generating webhelp for a web application. Development just started to use Fortify to identify security vulnerabilities. The Fortify software found 17 Robohelp htm files with cross-site scripting security holes. We are NOT using RoboHelp Server 8.
  Before creating this posting, I searched the forums and found one post from Feb 2010 (Beware -serious - cross site scripting errors in Robohelp 8.0).
  From reading that posting, it appears that an Adobe engineer was involved----I'm not clear on the final outcome for this issue.
  Any additional information on the final resolve for this issue would be helpful.
  Thanks,
  Beware - serious breach - cross site scripting errors in RoboHelp 8.0

  The previous poster indicated that Tulika, who I can confirm is an Adobe engineer, stated "when she reviewed the code that was triggering the Fortify cross site scripting errors, she came to the conclusion that it was not actually harmful." The poster also indicated their opinion was the other errors were minor.
  That seems clear enough so I wonder what value is anything that anyone here can add? The forum responses are from other users and I would have thought any further assurance beyond the above is something your management would want to come from Adobe.
  I have not seen anything on these forums indicating that any attack has been triggered.
  See www.grainge.org for RoboHelp and Authoring tips
  @petergrainge

• I am working on Security scan(to avoid cross site forgery) with the CSRF approach of tomcat(apache-tomcat-6.0.32) but I am getting following issue with firefox:

  I am working on Security scan(to avoid cross site forgery) with the CSRF approach of tomcat(apache-tomcat-6.0.32) but I am getting following issue with firefox:
  1. Firefox is not supporting CSRF provided by tomcat in a proper way firefox creating multiple sessions.
  2. Whenever any exception (like JSP exception) comes on page. Firefox redirects it to CSRFPreventionFilter and this filter creates new session.
  3. Sometimes while traversing through application also CSRFPreventionFilter filter creates new session.

  I seem to have fixed it by putting <div  class="clearfloat"></div> after the navigation bar?

• IE Cross-Site error

  IE behaves strangely on cross-site errors. Some combinations of parameters actually trigger this error.
  e.g.
  Please try the below URL in IE (Remove the space between http and :)
  http ://www.bing.com?a='b'&a=b.jsp&a=b
  Can anyone help me n why IE throws error on Bing? I am getting similar error in my applications but not sure why it behaves strangely
  -Jain.

  Hi,
  File>Properties to discover which IE Security zone the sites/domains map to...
  to allow an intranet site to access a public internet site you may have to add it manually to the intranet sites list.
  eg. say I want to use the w3c validation services from a domain in the intranet or localhost(maps to the internet), then to allow this I have to manually add validator.w3.org to the IE intranet sites list.... this mean that the default intranet zone
  setting for xss filtering (is disabled) for both my intranet sites and validator.w3.org . From my intranet zone site I am then allowed to use xss to return the validation reports back from w3c. I would add that I am using the POST method and not the GET
  method...
  If possible, in your application use the POST instead of GET.
  If you are developing this and have not yet published/deployed it to a production web server, you may not be able to properly test it until you have done so and both domains map to the same security zone in IE.
  If you are writing a public access website, and you are the developer of both sites, then you can adjust the response headers to allow the domains to allow xss.
  If you are trying to use Facebook connect or the equivalent Twitter connect, then you have chosen the wrong technology. Refer to the respective developer api documentation.
  What examples and sample code you have supplied us so far leaves some guessing room as to what you actually want to achieve.
  Rob^_^

• SP2013 Unable to get Cross Site Publishing working

  Hi folks,
  I am wondering if anyone has a set of instructions for implementing Cross Site publishing in SharePoint 2013
  that actually work and are up-to-date.
  I'm trying to implement CSP using a simple document library in a product catalog site collection to a publishing site.  Created a term set, enabled the library under catalog settings for anonymous, uploaded content, full crawled the library, connected
  to the catalog from the publishing site, updated the navigation properties on the publishing site - When I test clicking on the navigation link gives a 'The page you are looking for doesn't exist' so it appears not to be creating the appropriate page.
  I've examined a dozen different sets of instructions that are either incomplete or just wouldn't work to see if I am missing a step but cannot identify why I don't see the page with a list of document.
  One [potential] issue that I have noticed is that the term I am using has a 'memberof' field.  However some times the permissions get correctly updated and sometimes they do not - there appears no way to update or remove values here.
  Regards
  Andy
  Update:  I've managed to get a little further (by chance) - after waiting a little longer, I now get the catalogue page displayed, however, there is a warning 'Checked out to you'.  I cannot find any documentation around why this
  occurs and how to prevent it.
  Also, if I click the link of the document, it does not open the document but instead displays the fields from the document properties (name, version, date etc.).

  At the moment the best I can get to happen is a list of documents (with large grey boxes above the names) to appear when the navigation link (the term) is selected on the publishing site. Clicking on the links results in a 'page not found' error.
  The URL that is generated when I hover the mouse over the document name on the publishing site  is in the format of  http:server/sites/sitename/term-name/documentname/term-name/15/1.0   I am not sure how that would resolve aback to any
  document.
  The first reference to term-name appears to be the value in the term-driven-pages tab, Friendly URL for term field out of the term store on the publishing site.
  The second reference to term-name appears to be the value in the Navigation tab for the same term.
  Edit:  I am finally able to open a document successfully.   I had to make a couple of changes, the first was to remove the catalog connection and re-create it.  The Catalog Item URL Behaviour needed to be set to 'Make URLS point to source
  catalog',  the second was as above - to edit the content search webpart on the  category-xyz page so that it was set to OriginalPath  (and remember to check in and publish the page).
  Whenever the catalog connection is modified one needs to re-crawl the server - I found that continuous crawl often didn't seem to pick up changes, so for testing I used a full manual crawl.
  Also, when re-creating the catalog connection an error about duplicate terms can be ignored (it still creates the catalog connection), but you have to run a full search crawl afterwards.
  Now that I know it works, I need to re-do everything from scratch to ensure that it can be replicated. If I get time, I will post up some instructions with all of the issues I encountered listed.

• Due to the presence of characters known to be used in Cross Site Scripting

  I am getting following error when I try to send single quote as part of URL. I tried javascript escape to encode the URL. But still getting same error. Does anybody know workaround for the issue. Thanks
  Due to the presence of characters known to be used in Cross Site Scripting attacks, access is forbidden. This web site does not allow Urls which might include embedded HTML tags.
  403: Access Forbidden
  Your client is not allowed to access the requested object

  FYI. We are using IIS Webserver and Weblogic Appserver.
  When the page is accessed through Weblogic , cross site script does not occur. It happens when the page is rendered via IIS.

• Cross-site Scripting Vulnerability OAS-10g/10.1.2.0.0 OHS

  Has anyone confronted the Cross-site scripting Vulnerability with 10g and OHS 10.1.2?
  We are about to put our first APEX box into production, but we need to fix this vulnerability first.
  I did some searching around but failed to come up with anything useful. It could be my searching sucked, too.
  Any thoughts / help / ideas would be greatly appreciated.
  Thanks.

  Hi,
  Do you get this error when you try to run forms configured using OAS 10g 10.2.0.2.
  We run a Web application using OAS 10g 10.2.0.2 and after leaving the application idle, more than half an hour, ora-12152 is displayed and the application is in a deadlock.
  Can you please suggest any solution for the same.
  Should the SQLNET.AUTHENTICATION_SERVICES= (NTS) be commented in sqlnet.ora file.
  Sridharrs

• Business Objects Infoview 'cms' Cross-Site Scripting Vulnerability

  I was recently notified that we are vulnerable to cross-site scripting. We are using Crystal Enterprise XI R2. I read that we need fix  pack 3.5, however i dont know where to find it within SAP. I thought that Service Pack 3 would help but it doesn't appear available to download. Has anyone else talked this vulnerability?
  Edited by: Wade Hinkle on Jul 18, 2008 6:53 PM
  Edited by: Wade Hinkle on Jul 18, 2008 6:53 PM

  Hi experts,
  i checked the permissions at the PCD and everything should be fine.
  But what i found out at the moment is that the Business Objects Application does try to change the Browser height and width...for some reasons i don't know.
  Well and the portal does not allow this action at the portal browser / content area.
  1) The error messages are window.setIframeHeigth :
  while (childFrame != parentWin && parentWin.setIframeHeight && parentWin.supportResizeFrameToContent) {
          var x = parentWin.document.body.scrollLeft;
          var y = parentWin.document.body.scrollTop;
          parentWin.setIframeHeight(childFrame.name);
          parentWin.scrollTo(x,y);
          childFrame = parentWin;
          parentWin = childFrame.parent;
  2) the other message is Window.document
  function findElementById(Id) {
       var mywin = window;
       while (mywin != mywin.parent && mywin.parent && mywin.parent.document) {
            mywin = mywin.parent;
  The only way it works now, is when i chosse the option "display at own window" the application is started and can be accessed.
  Well, but unfortunal this is not the integration layer i am looking for.. i would like to "integrated" the web application at the portal content area.
  Has anybody some other ideas?
  Thanks in advantage and beste regards
  Stefan

• Cross-site scripting vulnerability

  HI!
  Has any one done this yet? Embedding a flash video object in
  Dreamweaver or
  Contribute using the Insert Flash Video command might create
  a cross-site
  scripting vulnerability. A potential cross-site scripting
  vulnerability has
  been identified within the FLVPlayer_Progressive.swf file.
  The fix on Adobe
  web site is not clear, the article I read about it says
  Dreamweaver 8 and
  CS3 are affected but the adobe page only refers to CS3. I was
  wondering if
  the files for the download they provide will work in 8.02 as
  well? This is
  the link to the Adobe webpage.
  http://kb.adobe.com/selfservice/viewContent.do?externalId=kb402925&sliceId=1
  Thanks.
  Dave

  I use CS3 and have done the update. The advice in the article
  on the page you're referring to is totally messed up.
  Do the renamed ... .old files need to be deleted from the
  \Program Files\Adobe\Adobe Dreamweaver
  CS3\configuration\Templates\Video_Player and the \Program
  Files\Adobe\Adobe Contribute
  CS3\Configuration\Templates\Video_Player folders or not? The
  article says nothing about this.
  The described update process for existing sites is absolutely
  unclear. Open the page in Dw, Preview In Browser, and Save? What
  change would that make? More importantly, is it enough to update
  the FLVPlayer_Progressive.swf and/or the FLVPlayer_Streaming.swf on
  existing sites or not?
  The updated files have a creation date of January 9, 2008
  while the article suggests that these files should have a creation
  date of January 15, 2008.
  The link is broken in the "Additional Information" section.
  That page seriously needs some supervision imho.

• Error while creating customer account sites from backend

  I am creating Customer Account Sites using the TCA API from Toad.
  I am getting the following error
  The operating unit is either invalid or it cannot be derived. Please verify your Multi-Org profile options.
  The Operating unit has been defined.
  I am using the following code:
  DECLARE
  p_cust_acct_site_rec hz_cust_account_site_v2pub.cust_acct_site_rec_type;
  x_return_status VARCHAR2(2000);
  x_msg_count NUMBER;
  x_msg_data VARCHAR2(2000);
  x_cust_acct_site_id NUMBER;
  BEGIN
  p_cust_acct_site_rec.cust_account_id := 9462;
  p_cust_acct_site_rec.party_site_id := 5473;
  --p_cust_acct_site_rec.language := 'US';
  p_cust_acct_site_rec.org_id := 126;
  p_cust_acct_site_rec.created_by_module := 'TCA-EXAMPLE';
  hz_cust_account_site_v2pub.create_cust_acct_site(
  'T',
  p_cust_acct_site_rec,
  x_cust_acct_site_id,
  x_return_status,
  x_msg_count,
  x_msg_data);
  dbms_output.put_line(SubStr('x_return_status =
  '||x_return_status,1,255));
  dbms_output.put_line('x_msg_count = '||TO_CHAR(x_msg_count));
  dbms_output.put_line(SubStr('x_msg_data = '||x_msg_data,1,255));
  IF x_msg_count >1 THEN
  FOR I IN 1..x_msg_count
  LOOP
  dbms_output.put_line(I||'. '||SubStr(FND_MSG_PUB.Get(p_encoded =>
  FND_API.G_FALSE ), 1, 255));
  END LOOP;
  END IF;
  END;
  Thanks and Regards,
  K tanna

  Duplicate post.
  Error while creating customer account sites
  Error while creating customer account sites

• Good morning, AdobeSuite installation does not work and I receive"error initializing program, download adobe advisor" error message. On Adobe site it appears"The Adobe Support Advisor has been discontinued  The Adobe Support Advisor tool was used to analy

  Good morning, AdobeSuite installation does not work and I receive"error initializing program, download adobe advisor" error message. On Adobe site it appears"The Adobe Support Advisor has been discontinued  The Adobe Support Advisor tool was used to analyze installer log and system information associated with installation errors. The tool has been replaced with improved installation support mechanisms. Please visit Adobe Support section for Knowledge base articles around Installation."

  Nobody can tell you anything without proper system info or other technical details. We don't even know what exactly you are trying to install.
  Mylenium

• Publish Page Content-Cross Site Publishing in SharePoint Online

  Is it possible to get Authoring Site's Specific Page's Content/html content (Live in Page Library of Authoring Site and saved as a Catalog) by a Content Search web part added to the Publishing site's page? 
  (Please note that these sites created in SharePoint 2013 Online, Authoring Site activated Cross site Publishing feature and created using team site template, Publishing site created using Publishing Portal template)

  Hi Gihan,
  Glad to hear your issue solved and thanks for your sharing! It is helpful for others who will meet the same issue.
  Best Regards,
  Eric
  Eric Tao
  TechNet Community Support

• Error when using ANY "save site as template Include Content" solution to create a NEW Site Collection

  Here is the scenario. (SharePoint 2013)
  In Dev/Test/Prod any Site that we Save as Template and include content and then, Download and try to use in a new Site Collection errors out upon use "List does not exist" error.
  This occurs with ANY Site, even OOB Team Site template that is immediately "Saved as Template".
  We can do this in any other environment (we have several test labs 1 in O365 and 1 in VM that is very OOB)
  We can take the site solution from the environments we're having the issue in and use them successfully in our Lab environments (on prem or in the cloud).
  We have also tried taking Site solution from lab environment (where we know it works fine) and tried to use these in Dev/Test/Prod and they also error on us.
  In the Dev/Test/Prod environments that have the issue if we DO NOT include content, the template works just fine to create a new site collection with the template.
  Keep in mind we're talking about environment with no 3rd party apps, no custom code, just 2013 SharePoint with all patches and CU up to June 2013, AND this is ANY template even a vanilla OOB template without anything in it.
  You can always save site as template including content, download/upload it to new site collection solutions gallery and activate it without any issue... it's only if you try to use these templates to create a site that the error occurs.
  Any thoughts on this?
  J

  I also experiencing the same issue. I also tried to create a new site-collection using publishing site template, resulting in "list not found" error.
  Later I tried just a team-site (with content) -> the same error.
  The error appears on two different (post SP1) farms. That's why I tested the site-collection creation on an old (pre SP1) farm: the error doesn't exist. Site-Collections are created properly.
  My conclusion is: either SharePoint SP1 or a later CU causing the error.
  Regards,
  Valerian