AntiCSRF Tokens - JSP Tags

[meg23]

From rkli...@gmail.com on October 30, 2010 22:03:27

This is a set of Java files and a TLD for generating secure random numbers for Anti-CSRF JSP Tags.

adds a hidden input into a form field, generating a new Anti-CSRF token for the session if it exists or else creating a new one

checks to see if the Anti-CSRF token submitted matches the one in the session. A mismatch causes a new CSRFTokenException to be thrown.

Attachment: AntiCSRFTokenTag.java AntiCSRFTokenTagCheck.java CSRFTokenException.java CSRFTokenUtil.java anti_csrf.tld

Original issue: http://code.google.com/p/owasp-esapi-java/issues/detail?id=162

[meg23]

From manico.james@gmail.com on October 31, 2010 21:27:13

Labels: CSRF

[meg23]

From manico.james@gmail.com on November 01, 2010 05:52:59

Status: Accepted
Labels: Milestone-Release2.1

[meg23]

From brijesh....@gmail.com on July 06, 2011 13:10:39

how will the jsp calling the above tools be like.
I am a little confused with when should i set the csrf token in the request paremeter. Should that be onsubmit?

[meg23]

From robinspe...@gmail.com on June 06, 2013 23:10:36

Hi,

As per the above mentioned mechanism, we are adding a secret token as a hidden field in JSP and hence it's passed in the request.

As we are passing is it in a jsp as a hidden field the attacker would be able to find the value of the secret token and could add the same in his malicious request also. On such a scenario, we would not be able to differentiate the malicious and intended request rite?

Apologies if my understanding is wrong! and requesting you to explain briefly in i have understood wrongly.

Thanks!