TomcatExpert

Cross-Site Request Forgery

posted by mthomas on May 9, 2011 07:08 AM

Cross-site request forgery (CSRF), also sometimes referred to as one-click attacks or session riding, is another type of malicious exploit of websites that the Apache Tomcat community has addressed in the Apache Tomcat 7 release process. Different from cross-site scripting, where the attacker exploits the trust users have for a particular site, CSRF targets the trust that sites have in a user’s browser. The new CSRF Protection prevents attacks directly on Apache Tomcat Manager and Apache Tomcat Host Manager as well as provides a CSRF Prevention Filter for the applications that run on Tomcat to use.

A Simple Example

A system administrator connects to a Tomcat instance and logs into the Tomcat Manager application. The admin performs routine tasks such as deploying a web application, checking the status of another application and upgrading a third application. Then the administrator leaves Tomcat Manager, and goes to browse the web. One of the sites the administrator browses has malicious code in either a link or a flash file that tricks the browser into making a request into Tomcat Manager. The admin’s session for Tomcat Manager has not yet expired, and Tomcat grants the malicious code access to the request. This essentially introduces a large back door for control into the system administrator’s Tomcat instances.

In addition to targeting administrators to take down websites, applications that run on Tomcat-such as banking applications-are also vulnerable to the same attacks. Check out the article on CSRF on the Open Web Application Security Project (OWASP) for more detail.

Is It Really a Vulnerability?

In order for this to work, the attacker must know the full URL for the Tomcat Manager application. Most administrators have a private and unique naming convention for their server infrastructure and ports. The chances of an attacker knowing these is fairly slim, and would essentially mean that it must be a targeted attack on a single deployment.

Another option for attackers is to use localhost with the port 8080 in their request. If the administrator is using Tomcat Manager locally when they are browsing the web, then the attacker would be successful. Usually, however, system administrators would not be running web browsers directly from a production server. For most administrators, this would be considered reckless behavior.

The workaround is simple for any case—when a user is done working on an authenticated session, simply close out the browser or log out of the application so no authenticated session exists to be exploited. For most security sensitive system administrators, this should be a standard operating procedure. However, quite a few security professionals disagree that standard precautions are enough to protect sites, and general consensus is that CSRF is a security vulnerability that applications themselves should protect against.

The Fix

Applications, such as Tomcat Manager, can protect themselves against these types of attacks by using a system of nonces, or tokens. Starting with the authentication request, the browser is sent a special token that must be provided with the next request. Each subsequent response provides a new token for the following request. In this case, when the attacker sends the request, while it will reach the server, it will not include the correct token, so the server will reject the request and prevent the attack.

CSRF Protection in Tomcat 7

Tomcat provides this token-based protection by default in Tomcat Manager and the Tomcat Host Application.

Additionally it provides a CSRF Prevention Filter that can be used by applications deployed on Tomcat 7. The filter sends the token to the browser by modifying all of the URLs in the response for the links that the user can click on. In order to do that, it requires that the application encodes URLs in the response by a calling HttpServletResponse#encodeRedirectURL(String) or HttpServletResponse#encodeURL(String). Web applications should already be doing this as a requirement to support sessions with users that do not accept cookies. However, many web applications today still do not always utilize this method.

For applications that use this format of URL encoding, they can get CSRF protection for free simply by turning on the CSRF Protection Filter.

Addressing Problems with the Back Button & Parallel Requests

Since each request is granted by the validity of the token attached to it, using the back button or parallel requests requires the application to honor previously issued tokens. By default, the CSRF Prevention Filter in Tomcat 7 allows up to the previous 5 tokens to be used. Administrators can change this setting by setting the CSRF Prevention Filter attribute nonceCacheSize to the specific number of previous tokens the application should accept.

Entry points

The URLs protected by the filter will be determined by the configured filter mapping. For example, there is likely to be little point protecting static image files with the CSRF prevention filter. However, there will also be URLs (such as the default page for Tomcat's Manager application) where the filter is required but the nonce check is not required. These URLs are called entry points as they provide a route for user's who do not have a valid CRSF token to entry the protected are of the application. The entry points are configured as part of the filter configuration.

Recommendation

Any application that uses authentication should consider providing CSRF protection. There are a number of libraries available that provide CSRF protection but if you are running on Apache Tomcat 7 then taking advantage of the built-in CSRF prevention filter may provide a simple way to implement this protection.

Note that the CSRF Prevention Filter is now also available in Apache Tomcat 6.

Mark Thomas is a Senior Software Engineer for the SpringSource Division of VMware, Inc. (NYSE: VMW). Mark has been using and developing Tomcat for over six years. He first got involved in the development of Tomcat when he needed better control over the SSL configuration than was available at the time. After fixing that first bug, he started working his way through the remaining Tomcat bugs and is still going. Along the way Mark has become a Tomcat committer and PMC member, volunteered to be the Tomcat 4 & 7 release manager, created the Tomcat security pages, become a member of the ASF and joined the Apache Security Committee. He also helps maintain the ASF's Bugzilla instances. Mark has a MEng in Electronic and Electrical Engineering from the University of Birmingham, United Kingdom.

Comments

Trying to implement this, but having issues

Hi Mark,

I am trying to add CSRF protection to the java web application. I have the web.xml configured with the CSRF filter and filter mappings to the servlets.
[filter]
[filter-name]CSRF[/filter-name]
[filter-class]org.apache.catalina.filters.CsrfPreventionFilter[/filter-class]
[init-param]
[param-name]entryPoints[/param-name]
[param-value]/html,/html/[/param-value]
[/init-param]
[/filter]

[filter-mapping]
[filter-name]CSRF[/filter-name]
[servlet-name]exampleservlet[/servlet-name]
[/filter-mapping]

In my JSP I am try to pass the CSRF_NONCE as a parameter in the POST request
FORM METHOD="POST" ACTION="/exampleservlet"
INPUT TYPE="HIDDEN" NAME="org.apache.catalina.filters.CSRF_NONCE" VALUE="<%=session.getAttribute("org.apache.catalina.filters.CSRF_NONCE")%>"

I keep getting a 403 forbidden. I checked and the NONCE value I am passing is the LRU cache that its suppose to look up and compare with. Not sure why its not finding the NONCE in the cache. Any ideas or help would be appreciated.

Thanks,
Leo

Wedding photographers in Hyderabad

with the next request. Each subsequent response provides a new token for the following request. In this case, when the attacker sends the request, while it will reach the server, it will not include the correct token, so the server will reject the request and prevent the attack.
Wedding photographers in Hyderabad

Brilliant text. A posting is

Brilliant text. A posting is affecting loads of imperative complications one's world. Most people can't be uninvolved so that you can all these complications. The following posting supplies plans plus basics. Pretty enlightening plus simple.
Cheap Club Flyers

So it is interesting and very

So it is interesting and very good written and see what they think about other people. The Woman Men Adore

I would recommend my profile

I would recommend my profile is important to me, I invite you to discuss this topic. The Psystrology Method

So it is interesting and very

So it is interesting and very good written and see what they think about other people. Signs it is Time to end a Relationship

Find the best essays on

Find the best essays on is my friend's profile page. Obsession Phrases

with the next need

with the next need https://advanced-writers.com/. Each following response provides a new icon for the following need. In this situation, when the opposition provides the need, while it will get to the web server, it will not add the appropriate icon, so the web server will restrict the need and prevent the attack.

sl786982

I want you to thank for your time of this wonderful read!!! I definately enjoy every little bit of it and I have you bookmarked to check out new stuff of your blog a must read blog! hoteles juegos olimpicos rio

sl786982

Welcome to the party of my

Welcome to the party of my life here you will learn everything about me. sistemas de seguridad

A system administrator

A system administrator connects to a Tomcat example and information into the Tomcat Manager system. The management works schedule tasks such as applying a web system, verifying the position of another system and enhancing a third system. Then the administrator results in Tomcat Manager, and goes to browse the web. One of the sites the administrator browses has dangerous concept in either a web link or a presentation computer file that techniques the web web browser into making a requirement into Tomcat Manager. The admin’s period for Tomcat Manager has not yet ended funny dog pictures with captions, and Tomcat allows the dangerous concept access to the requirement. This generally provides a large secret for control into the system administrator’s Tomcat circumstances.

Commercial Coffee Makers

however, system administrators would not be running web browsers directly from a production server. For most administrators, this would be considered reckless behavior.
Commercial Coffee Makers

An outstanding share! I have

An outstanding share! I have just forwarded this onto a coworker who has been doing a little homework on this. And he actually ordered me lunch due to the fact that I found it for him... lol. So let me reword this.... Thanks for the meal!! But yeah, thanks for spending the time to talk about this matter here on your internet site.
Mortgage Broker Calgary

A wonderful share! I have

A wonderful share! I have just presented this onto a co-worker who has been doing a little planning on this. And he actually asked for me the afternoon food due of which I came across it for him... lol. So let me modify this additional reading.... Thanks for the meal!! But really, thanks for making an investment plenty of a chance to talk about about this problem here on your web page.

wedding photographer newcastle

Each subsequent response provides a new token for the following request. In this case, when the attacker sends the request, while it will reach the server, it will not include the correct token, so the server will reject the request and prevent the attack.
wedding photographer newcastle

Game Hack

hungry shark evolution hack android The best article I came across a number of years, write something about it on this page. clash of clans android hack

Ike

buy youtube subscribers
In reality That i look over it all not long ago however , I saw it certain thinkings about that and after this I want to read the paper it all for a second time given that it's well written.
buy youtube views

These absolutely replica

These absolutely replica watches accredit to the affectionate of actualization you require, whether it's a academic or a accidental product. As anon as you apperceive this factor, you aswell charge to set a budget. The bulk you adeptness be accommodating to pay may be a absolute acceptable indicator for the alike actualization product.Just afore chief on a accurate product, you accept to appraise assorted websites and analyze products' prices.The additional affair you accept to do would be to arise browsing the attainable models. The above-mentioned belief can save you from crumbling time as you are able to arise aggravating to acquisition the adapted replica watches' categories.To be able to access the alike actualization you need, don't overlook to aswell assay the website's credibility. In case Remember that the swiss replica watches beam you would like to buy should be a reliable and athletic piece. that you acquisition any abrogating comments about the website, you should actively amend your investment. For sure, should you chase these few simple actions, you can absolutely access a beautiful, abiding and reliable alike watch. An acutely important basic in advertent the absolute reproduction watch for you is to conduct a acceptable rolex replica analysis. It adeptness be achievable to get an accomplished actualization at a absolute acceptable price.

http://www.rfshoeoutlets.co.uk

I was just browsing through

I was just browsing through the internet looking for some information and came across your blog. I am impressed by the information that you have on this blog. It shows how well you understand this subject. Bookmarked this page, will come back for more. Text Your Ex Back

A good blog always comes-up

A good blog always comes-up with new and exciting information and while reading I have feel that this blog is really have all those quality that qualify a blog to be a one.I wanted to leave a little comment to support you and wish you a good continuation. Wishing you the best of luck for all your blogging efforts. Diabetes Destroyer

An excellent blog website

An excellent blog website site always comes-up with new and amazing details and while studying I have think that your blog website website is really have all those the finest high quality that are certified a blog website site to be a one reddit.com/r/mangamanga.I chosen over go away a little perspective to give you assistance and wish you a amazing development. Anticipating you the best of lot of money for all your writing a blog website tasks.

Glad to chat your blog, I

Glad to chat your blog, I seem to be forward to more reliable articles and I think we all wish to thank so many good articles, blog to share with us. I will really appreciate the writer's choice for choosing this excellent article appropriate to my matter.Here is deep description about the article matter which helped me more. Rocket Spanish

Grateful to have a talk about

Grateful to have a talk about your weblog site website, I seem to be forward to more effective content and I think we all wish to thank so many good content, weblog to see us advanced-writers.com. I will really appreciate the author's option for choosing this excellent content appropriate to my problem.Here is highly effective information about this content problem which decreased the problem more.

wow, great, I was wondering

wow, great, I was wondering how to cure acne naturally. and found your site by google, learned a lot, now i’m a bit clear. I’ve bookmark your site and also add rss. keep us updated. Language of Desire

These websites are really

These websites are really needed, you can learn a lot. What Men Secretly Want

In this particular article,

In this particular article, you will see a summary, satisfy browse this post. The Instant Switch Review

I encourage you to read this

I encourage you to read this text it is fun described ... Talk To His Heart Review

I have a similar interest

I have a similar interest this is my page read everything carefully and let me know what you think. The Woman Men Adore and Never Leave

I have the same attention

I have the same attention this is my web page study everything properly and let me know what you think article.

I can give you the address

I can give you the address Here you will learn how to do it correctly. Read and write something good. Ex Factor Guide Review

Just find best essay write

Just find best essay write online. When you do, let me know what you think of this

Why do only so much written

Why do only so much written on this subject? Here you see more. The Red Smoothie Detox Factor

Welcome to the party of my

Welcome to the party of my life here you will learn everything about me. Wrap Him Around Your Finger Review

Great info! I recently came

Great info! I recently came across your blog and have been reading along. I thought I would leave my first comment. I don’t know what to say except that I have. travel umroh murah

I invite you to the page

I invite you to the page where you can read with interesting information on similar topics. how to text your ex

These you will then see the

These you will then see the most important thing, the application provides you a website a powerful important internet page: The Millionaire Brain Academy

It is rather very good,

It is rather very good, nevertheless glance at the data with this handle. What Men Secretly Want Review

Very good topic, similar

Very good topic, similar texts are I do not know if they are as good as your work out. Law of Devotion Review

your input here

The application provides you a website a powerful important internet page. video editing

The implementing provides you

The implementing provides you a website a powerful important internet page

That i taken aback when using

That i taken aback when using the exploration everyone intended to get this to selected present astounding. my latest blog post

You need to take part in a

You need to take part in a contest for one of the best blogs on the net. I am going to recommend this site!
Edmonton Mortgage Broker
Life Insurance Vancouver
Life Insurance Calgary

It is in a position to

It is in a position to everyone SEO options' outcomes is very is dependant on concerning the needs of period adjustments that are google their needs to period that effect the web site standard announcement's site position information read Buy Crazy Bulk.

Nevertheless, browsers

Nevertheless, browsers wouldn't be working straight from the generation machine read more.For many directors, this could be viewed careless conduct.

OC Housing News

These websites are really needed, you can learn a lot.
Housing Market News

I discovered your site and

I discovered your site and had been simply looking at the web searching for some info discover this info here. the info impresss me that you simply have with this website. It shows how you understand why topic. Saved this site, can come back for more.

The mass you adeptness be

The mass you adeptness be helpful to pay for can be a complete appropriate sign for that alike actualization product.Just afore key on the correct item, you take to assess various sites and evaluate items' prices bedroom sets online.The extra event you take to complete is always to occur searching the achievable versions.

The mass you adeptness be

The mass you adeptness be helpful to pay for can be a complete appropriate sign for that alike actualization product.Just afore key on the correct item how you can help, you take to assess various sites and evaluate items' prices.The extra event you take to complete is always to occur searching the achievable versions.

The basis for this is that actually

The basis for this is that actually, there are very few individuals in the UK who are truly experienced in SEO - and therefore, those that are usually choose to get results for themselves regardless of the large sum of cash they could generate employed by an SEO company my sources.

Text that is amazing. A

Text that is amazing. A publishing is currently affecting lots of the world of crucial problems one. So you can these problems many people can not be uninvolved bunk beds for kids. Plus fundamentals are planned by the next publishing materials. Fairly enlightening plus easy.

Post new comment

CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.