We ran a security scan on one of our projects. Few CSRF issues were detected. One of the recommendations suggested to Apply CSRF_NONCE values in Pages.
The application has following pages: /dashboard, /groups, /activities, /tasks, /data
Images are places under /images CSS files are placed under /styles And JavaScripts are placed under /js
Note:
- There is no /login in this app. Server detects whether session is valid and active. Then request gets forwarded to further resources like a jsp page. Please note there is request forwarding and not request redirection. To access login page, one has to hit /dashboard.
- /dashboard and all other inner pages have references to assets like images, js files and css files.
We have implemented following changes for enabling nonce in our webapp: Web.xml
<filter>
<filter-name>CSRFPreventionFilter</filter-name>
<filter-class>org.apache.catalina.filters.CsrfPreventionFilter</filter-class>
<init-param>
<param-name>entryPoints</param-name>
<param-value>/dashboard</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CSRFPreventionFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
login.jsp that gets shown when /dashboard is accessed from browser: The following line ensures that a hidden input field submits the nonce back to the server whenever any form performs a post request. In this case, it is the login form.
<INPUT type="hidden" name="CSRF_NONCE" value="<%=response.encodeURL("HandleLoginSubmit")%>">
It is necessary with respect to CSRFPreventionFilter that we encode URLs too. So form submits to an action which is now encoded with the server-generated nonce.
<form method="post" name="loginform" action="<%=response.encodeURL("HandleLoginSubmit")%>">
group_display.jsp gets displayed when user is accessing the /groups page. Form submits to an action which is encoded with the server-generated nonce. It also has the input hidden field which is responsible to post back the noce back to server.
<form method="post" action="<%=response.encodeURL("BW_Neighborhoods")%>">
<input type="hidden" name="CSRF_NONCE" value="<%=response.encodeURL("BW_Neighborhoods")%>">
Entry point being /dashboard page, I'm having no issues viewing the login.jsp page. if I try to replicate same fixes for other two pages I get 403 Forbidden error. The images available in pages like activity_display.jsp, group_display.jsp and login.jsp are not getting displayed. I also tried putting images path in entry point.
I'm wondering what is causing issues here. I seem to have done things right. I also tried to increase nonce cache size to 10 but no luck. Looking forward to some serious help as this issue is pending with me since long.