Cross-Site Request Forgery

posted by mthomas on May 9, 2011 07:08 AM

Cross-site request forgery (CSRF), also sometimes referred to as one-click attacks or session riding, is another type of malicious exploit of websites that the Apache Tomcat community has addressed in the Apache Tomcat 7 release process. Different from cross-site scripting, where the attacker exploits the trust users have for a particular site, CSRF targets the trust that sites have in a user’s browser. The new CSRF Protection prevents attacks directly on Apache Tomcat Manager and Apache Tomcat Host Manager as well as provides a CSRF Prevention Filter for the applications that run on Tomcat to use.

A Simple Example

A system administrator connects to a Tomcat instance and logs into the Tomcat Manager application. The admin performs routine tasks such as deploying a web application, checking the status of another application and upgrading a third application. Then the administrator leaves Tomcat Manager, and goes to browse the web. One of the sites the administrator browses has malicious code in either a link or a flash file that tricks the browser into making a request into Tomcat Manager. The admin’s session for Tomcat Manager has not yet expired, and Tomcat grants the malicious code access to the request. This essentially introduces a large back door for control into the system administrator’s Tomcat instances.

In addition to targeting administrators to take down websites, applications that run on Tomcat-such as banking applications-are also vulnerable to the same attacks. Check out the article on CSRF on the Open Web Application Security Project (OWASP) for more detail.

Is It Really a Vulnerability?

In order for this to work, the attacker must know the full URL for the Tomcat Manager application. Most administrators have a private and unique naming convention for their server infrastructure and ports. The chances of an attacker knowing these is fairly slim, and would essentially mean that it must be a targeted attack on a single deployment.

Another option for attackers is to use localhost with the port 8080 in their request. If the administrator is using Tomcat Manager locally when they are browsing the web, then the attacker would be successful. Usually, however, system administrators would not be running web browsers directly from a production server. For most administrators, this would be considered reckless behavior.

The workaround is simple for any case—when a user is done working on an authenticated session, simply close out the browser or log out of the application so no authenticated session exists to be exploited. For most security sensitive system administrators, this should be a standard operating procedure. However, quite a few security professionals disagree that standard precautions are enough to protect sites, and general consensus is that CSRF is a security vulnerability that applications themselves should protect against.

The Fix

Applications, such as Tomcat Manager, can protect themselves against these types of attacks by using a system of nonces, or tokens. Starting with the authentication request, the browser is sent a special token that must be provided with the next request. Each subsequent response provides a new token for the following request. In this case, when the attacker sends the request, while it will reach the server, it will not include the correct token, so the server will reject the request and prevent the attack.

CSRF Protection in Tomcat 7

Tomcat provides this token-based protection by default in Tomcat Manager and the Tomcat Host Application.

Additionally it provides a CSRF Prevention Filter that can be used by applications deployed on Tomcat 7. The filter sends the token to the browser by modifying all of the URLs in the response for the links that the user can click on. In order to do that, it requires that the application encodes URLs in the response by a calling HttpServletResponse#encodeRedirectURL(String) or HttpServletResponse#encodeURL(String). Web applications should already be doing this as a requirement to support sessions with users that do not accept cookies. However, many web applications today still do not always utilize this method.

For applications that use this format of URL encoding, they can get CSRF protection for free simply by turning on the CSRF Protection Filter.

Addressing Problems with the Back Button & Parallel Requests

Since each request is granted by the validity of the token attached to it, using the back button or parallel requests requires the application to honor previously issued tokens. By default, the CSRF Prevention Filter in Tomcat 7 allows up to the previous 5 tokens to be used. Administrators can change this setting by setting the CSRF Prevention Filter attribute nonceCacheSize to the specific number of previous tokens the application should accept.

Entry points

The URLs protected by the filter will be determined by the configured filter mapping. For example, there is likely to be little point protecting static image files with the CSRF prevention filter. However, there will also be URLs (such as the default page for Tomcat's Manager application) where the filter is required but the nonce check is not required. These URLs are called entry points as they provide a route for user's who do not have a valid CRSF token to entry the protected are of the application. The entry points are configured as part of the filter configuration.


Any application that uses authentication should consider providing CSRF protection. There are a number of libraries available that provide CSRF protection but if you are running on Apache Tomcat 7 then taking advantage of the built-in CSRF prevention filter may provide a simple way to implement this protection.

Note that the CSRF Prevention Filter is now also available in Apache Tomcat 6.

Mark Thomas is a Senior Software Engineer for the SpringSource Division of VMware, Inc. (NYSE: VMW). Mark has been using and developing Tomcat for over six years. He first got involved in the development of Tomcat when he needed better control over the SSL configuration than was available at the time. After fixing that first bug, he started working his way through the remaining Tomcat bugs and is still going. Along the way Mark has become a Tomcat committer and PMC member, volunteered to be the Tomcat 4 & 7 release manager, created the Tomcat security pages, become a member of the ASF and joined the Apache Security Committee. He also helps maintain the ASF's Bugzilla instances. Mark has a MEng in Electronic and Electrical Engineering from the University of Birmingham, United Kingdom.


Trying to implement this, but having issues

Hi Mark,

I am trying to add CSRF protection to the java web application. I have the web.xml configured with the CSRF filter and filter mappings to the servlets.


In my JSP I am try to pass the CSRF_NONCE as a parameter in the POST request
FORM METHOD="POST" ACTION="/exampleservlet"
INPUT TYPE="HIDDEN" NAME="org.apache.catalina.filters.CSRF_NONCE" VALUE="<%=session.getAttribute("org.apache.catalina.filters.CSRF_NONCE")%>"

I keep getting a 403 forbidden. I checked and the NONCE value I am passing is the LRU cache that its suppose to look up and compare with. Not sure why its not finding the NONCE in the cache. Any ideas or help would be appreciated.


Wedding photographers in Hyderabad

with the next request. Each subsequent response provides a new token for the following request. In this case, when the attacker sends the request, while it will reach the server, it will not include the correct token, so the server will reject the request and prevent the attack.
Wedding photographers in Hyderabad

Commercial Coffee Makers

however, system administrators would not be running web browsers directly from a production server. For most administrators, this would be considered reckless behavior.
Commercial Coffee Makers

An outstanding share! I have

An outstanding share! I have just forwarded this onto a coworker who has been doing a little homework on this. And he actually ordered me lunch due to the fact that I found it for him... lol. So let me reword this.... Thanks for the meal!! But yeah, thanks for spending the time to talk about this matter here on your internet site.
Mortgage Broker Calgary

wedding photographer newcastle

Each subsequent response provides a new token for the following request. In this case, when the attacker sends the request, while it will reach the server, it will not include the correct token, so the server will reject the request and prevent the attack.
wedding photographer newcastle

Game Hack

hungry shark evolution hack android The best article I came across a number of years, write something about it on this page. clash of clans android hack


buy youtube subscribers
In reality That i look over it all not long ago however , I saw it certain thinkings about that and after this I want to read the paper it all for a second time given that it's well written.
buy youtube views

These absolutely replica

These absolutely replica watches accredit to the affectionate of actualization you require, whether it's a academic or a accidental product. As anon as you apperceive this factor, you aswell charge to set a budget. The bulk you adeptness be accommodating to pay may be a absolute acceptable indicator for the alike actualization product.Just afore chief on a accurate product, you accept to appraise assorted websites and analyze products' prices.The additional affair you accept to do would be to arise browsing the attainable models. The above-mentioned belief can save you from crumbling time as you are able to arise aggravating to acquisition the adapted replica watches' categories.To be able to access the alike actualization you need, don't overlook to aswell assay the website's credibility. In case Remember that the swiss replica watches beam you would like to buy should be a reliable and athletic piece. that you acquisition any abrogating comments about the website, you should actively amend your investment. For sure, should you chase these few simple actions, you can absolutely access a beautiful, abiding and reliable alike watch. An acutely important basic in advertent the absolute reproduction watch for you is to conduct a acceptable rolex replica analysis. It adeptness be achievable to get an accomplished actualization at a absolute acceptable price.

I was just browsing through

I was just browsing through the internet looking for some information and came across your blog. I am impressed by the information that you have on this blog. It shows how well you understand this subject. Bookmarked this page, will come back for more. Text Your Ex Back

A good blog always comes-up

A good blog always comes-up with new and exciting information and while reading I have feel that this blog is really have all those quality that qualify a blog to be a one.I wanted to leave a little comment to support you and wish you a good continuation. Wishing you the best of luck for all your blogging efforts. Diabetes Destroyer

Glad to chat your blog, I

Glad to chat your blog, I seem to be forward to more reliable articles and I think we all wish to thank so many good articles, blog to share with us. I will really appreciate the writer's choice for choosing this excellent article appropriate to my matter.Here is deep description about the article matter which helped me more. Rocket Spanish

wow, great, I was wondering

wow, great, I was wondering how to cure acne naturally. and found your site by google, learned a lot, now i’m a bit clear. I’ve bookmark your site and also add rss. keep us updated. Language of Desire

These websites are really

These websites are really needed, you can learn a lot. What Men Secretly Want

In this particular article,

In this particular article, you will see a summary, satisfy browse this post. The Instant Switch Review

I encourage you to read this

I encourage you to read this text it is fun described ... Talk To His Heart Review

I have a similar interest

I have a similar interest this is my page read everything carefully and let me know what you think. The Woman Men Adore and Never Leave

I can give you the address

I can give you the address Here you will learn how to do it correctly. Read and write something good. Ex Factor Guide Review

Just find best essay write

Just find best essay write online. When you do, let me know what you think of this

Why do only so much written

Why do only so much written on this subject? Here you see more. The Red Smoothie Detox Factor

Post new comment

This question is for testing whether you are a human visitor and to prevent automated spam submissions.