adhpawal / csrf-filter Goto Github PK

What steps will reproduce the problem?
1. A hacker captures a request.
2. Modifies it as he wants (or creates a brand new request - just use the same 
csrf parm and cookie names)
3. The csrf tokens in parms and in cookies stay as they where.  

What is the expected output? What do you see instead?
Expected would be the detection that the request comes from a different user.  
The csrf-filter only checks that the token values in parms and in cookies are 
identicall.  So, it accepts the request.

What version of the product are you using? On what operating system?
* current version from the trunk
* OS - any

Please provide any additional information below.

If you are using the application for more than 1 hour the cookie will time out 
and will be refreshed with a new value. The result is that you're getting the 
error 400.

I'm using version 2.4 of the library.

The request is to make the duration of the cookie configurable using an 
init-param.

i have gwt application and i would like to use your CSRF Filter, Could you 
please give me any advice how to add the ${csrf} to my gwt application.

appreciate your advice.

Thanks

What steps will reproduce the problem?
1. Design a form with method=Post
2. load the form in 1 browser tab, at this point the form has the csrf token 
(say 123) and the value of the cookie is also 123. 
3. Load the same form in browser tab 2, at this point the csrf token in the 
page is (say 456) and the value of the cookie is now 456.
4. Now go back to tab 1 and submit that form, at this time, the csrf filter 
will receive (123 from the page) and cookie value is 456 and the page will get 
a HTTP 500 error which is incorrect.

What is the expected output? What do you see instead?

Authentication error should not occur.

What version of the product are you using? On what operating system?

Latest version of csrf-filter on Tomcat on windows 7.


Please provide any additional information below.
I like the fact that the token is not stored in the server-side session, 
however, if the above issue cannot be solved, I see that there could be false 
positives.

Performance: Check if logging is enabled.

I'd been going through the code. However, I do not see a place where the 
${csrf} is replaced with actual value. However, it is being queried by 
request.getParameter (...). How the value of ${csrf} is set?

Any help on this is appreciated.