我试图在我的Java Spring-MVC Web应用程序中使用OWASP的CSRFGuard,但它正在检测CSRF攻击是否针对用户执行的任何操作。该Web应用程序会加载,并且一旦用户尝试导航到该Web应用程序的任何部分,我都会在org.owasp.csrfguard.action.Log.Message中进行设置
CSRFguard.properties文件报告“错误:请求中缺少必需的令牌”。即使URL确实包含令牌(请参见屏幕截图)?



这是我的Owasp.CsrfGuard.properties文件:

org.owasp.csrfguard.Logger=org.owasp.csrfguard.log.ConsoleLogger
org.owasp.csrfguard.configuration.provider.factory = org.owasp.csrfguard.config.overlay.ConfigurationAutodetectProviderFactory
org.owasp.csrfguard.Enabled = true
org.owasp.csrfguard.ValidateWhenNoSessionExists = false
org.owasp.csrfguard.TokenPerPage=false
org.owasp.csrfguard.Rotate=false
org.owasp.csrfguard.Ajax=true
org.owasp.csrfguard.action.Log=org.owasp.csrfguard.action.Log
org.owasp.csrfguard.action.Log.Message=potential cross-site request forgery (CSRF) attack thwarted (user:%user%, ip:%remote_ip%, method:%request_method%, uri:%request_uri%, error:%exception_message%)
org.owasp.csrfguard.action.Redirect=org.owasp.csrfguard.action.Redirect
org.owasp.csrfguard.action.Redirect.Page=%servletContext%/error.jsp
org.owasp.csrfguard.unprotected.Css=*.css
org.owasp.csrfguard.unprotected.JavaScript=*.js
org.owasp.csrfguard.TokenName=csrfToken
org.owasp.csrfguard.SessionKey=csrfToken
org.owasp.csrfguard.TokenLength=32
org.owasp.csrfguard.PRNG=SHA1PRNG
org.owasp.csrfguard.PRNG.Provider=SUN
org.owasp.csrfguard.Config.Print = true
org.owasp.csrfguard.JavascriptServlet.sourceFile =  WEB-INF/csrfguard.js
org.owasp.csrfguard.JavascriptServlet.domainStrict = true
org.owasp.csrfguard.JavascriptServlet.cacheControl = private, maxage=28800
org.owasp.csrfguard.JavascriptServlet.injectIntoForms = true
org.owasp.csrfguard.JavascriptServlet.injectGetForms = true
org.owasp.csrfguard.JavascriptServlet.injectFormAttributes = true
org.owasp.csrfguard.JavascriptServlet.injectIntoAttributes = true
org.owasp.csrfguard.configOverlay.secondsBetweenUpdateChecks = 60

最佳答案

当令牌不随http请求传递时,会发生这种情况。我建议使用篡改数据来验证令牌是否随http请求一起发送。可能涉及到将请求定向到特定页面的jsp或html,您需要在其中注入令牌。
如果您已经尝试过动态javascript注入,则可以尝试JSP标签库注入,因为有时动态javascript注入不起作用。

csrfguard 3.1.0 example

csrfguard token injection

09-26 18:08