├── .gitattributes ├── .github ├── ISSUE_TEMPLATE │ ├── bug_report.md │ └── feature_request.md ├── dependabot.yml └── workflows │ ├── ci.yaml │ ├── dependency_check.yaml │ └── snyk.yaml ├── .gitignore ├── 404.html ├── Gemfile ├── LICENSE ├── _config.yml ├── assets └── images │ ├── README.md │ ├── csrfguard.png │ ├── csrfguard_in_action.png │ ├── mature_projects.png │ ├── owasp_breakers_small.png │ ├── owasp_builders_small.png │ ├── owasp_tool_project.png │ ├── what_is_csrf_attacks_1.png │ ├── what_is_csrf_attacks_2.png │ ├── what_is_csrf_attacks_3.png │ ├── what_is_csrf_attacks_4.png │ ├── what_is_csrf_attacks_5.png │ ├── what_is_csrf_attacks_6.png │ └── what_is_csrf_attacks_7.png ├── csrfguard-extensions ├── csrfguard-extension-session │ ├── pom.xml │ └── src │ │ └── main │ │ └── java │ │ └── org │ │ └── owasp │ │ └── csrfguard │ │ ├── CsrfGuardHttpSessionListener.java │ │ ├── action │ │ └── SessionAttribute.java │ │ └── session │ │ ├── ContainerSession.java │ │ └── SessionTokenKeyExtractor.java ├── csrfguard-jsp-tags │ ├── pom.xml │ └── src │ │ └── main │ │ ├── java │ │ └── org │ │ │ └── owasp │ │ │ └── csrfguard │ │ │ └── tag │ │ │ ├── ATag.java │ │ │ ├── AbstractTag.java │ │ │ ├── AbstractUriTag.java │ │ │ ├── FormTag.java │ │ │ ├── TokenNameTag.java │ │ │ ├── TokenTag.java │ │ │ └── TokenValueTag.java │ │ └── resources │ │ └── META-INF │ │ └── csrfguard.tld └── pom.xml ├── csrfguard-test ├── csrfguard-test-jsp │ ├── pom.xml │ └── src │ │ └── main │ │ ├── java │ │ └── org │ │ │ └── owasp │ │ │ └── csrfguard │ │ │ └── test │ │ │ ├── CORSFilter.java │ │ │ └── CounterServlet.java │ │ ├── resources │ │ └── logback.xml │ │ └── webapp │ │ ├── WEB-INF │ │ ├── classes │ │ │ ├── Owasp.CsrfGuard.overlay.properties │ │ │ └── Owasp.CsrfGuard.properties │ │ └── web.xml │ │ ├── ajax.html │ │ ├── attack1.html │ │ ├── attack2.html │ │ ├── counter.html │ │ ├── error.html │ │ ├── favicon.ico │ │ ├── forward.jsp │ │ ├── index.html │ │ ├── javascript.html │ │ ├── legacySyncAjaxTest.html │ │ ├── owasp_logo.png │ │ ├── protect.html │ │ ├── redirect.jsp │ │ ├── regextest │ │ ├── protected.html │ │ ├── protected.txt │ │ ├── resources │ │ │ ├── protected.html │ │ │ ├── protected.txt │ │ │ └── unprotected.html │ │ └── unprotected.html │ │ ├── session.jsp │ │ ├── tag.jsp │ │ ├── upload.html │ │ └── wildcardtest │ │ ├── test.html │ │ └── test.txt └── pom.xml ├── csrfguard ├── .gitignore ├── pom.xml └── src │ ├── main │ ├── java │ │ └── org │ │ │ └── owasp │ │ │ └── csrfguard │ │ │ ├── CsrfGuard.java │ │ │ ├── CsrfGuardException.java │ │ │ ├── CsrfGuardFilter.java │ │ │ ├── CsrfGuardServletContextListener.java │ │ │ ├── CsrfValidator.java │ │ │ ├── ProtectionResult.java │ │ │ ├── action │ │ │ ├── AbstractAction.java │ │ │ ├── Empty.java │ │ │ ├── Error.java │ │ │ ├── Forward.java │ │ │ ├── IAction.java │ │ │ ├── Invalidate.java │ │ │ ├── Log.java │ │ │ ├── Redirect.java │ │ │ ├── RequestAttribute.java │ │ │ └── Rotate.java │ │ │ ├── config │ │ │ ├── ConfigurationProvider.java │ │ │ ├── ConfigurationProviderFactory.java │ │ │ ├── NullConfigurationProvider.java │ │ │ ├── NullConfigurationProviderFactory.java │ │ │ ├── PropertiesConfigurationProvider.java │ │ │ ├── PropertiesConfigurationProviderFactory.java │ │ │ ├── overlay │ │ │ │ ├── ConfigPropertiesCascadeBase.java │ │ │ │ ├── ConfigPropertiesCascadeCommonUtils.java │ │ │ │ ├── ConfigPropertiesCascadeUtils.java │ │ │ │ ├── ConfigurationAutodetectProviderFactory.java │ │ │ │ ├── ConfigurationOverlayProvider.java │ │ │ │ ├── ConfigurationOverlayProviderFactory.java │ │ │ │ ├── ExpirableCache.java │ │ │ │ └── ExpirableValue.java │ │ │ └── properties │ │ │ │ ├── ConfigParameters.java │ │ │ │ ├── HttpMethod.java │ │ │ │ ├── PropertyUtils.java │ │ │ │ ├── SimpleBooleanConfigParameter.java │ │ │ │ ├── SimpleConfigParameter.java │ │ │ │ ├── SimpleDurationParameter.java │ │ │ │ ├── SimpleIntConfigParameter.java │ │ │ │ └── javascript │ │ │ │ ├── BooleanJsConfigParameter.java │ │ │ │ ├── JavaScriptConfigParameters.java │ │ │ │ ├── JsConfigParameter.java │ │ │ │ └── StringJsConfigParameter.java │ │ │ ├── exception │ │ │ └── CSRFGuardTokenException.java │ │ │ ├── http │ │ │ └── InterceptRedirectResponse.java │ │ │ ├── servlet │ │ │ └── JavaScriptServlet.java │ │ │ ├── session │ │ │ └── LogicalSession.java │ │ │ ├── token │ │ │ ├── TokenUtils.java │ │ │ ├── businessobject │ │ │ │ └── TokenBO.java │ │ │ ├── mapper │ │ │ │ └── TokenMapper.java │ │ │ ├── service │ │ │ │ └── TokenService.java │ │ │ ├── storage │ │ │ │ ├── LogicalSessionExtractor.java │ │ │ │ ├── Token.java │ │ │ │ ├── TokenHolder.java │ │ │ │ └── impl │ │ │ │ │ ├── InMemoryToken.java │ │ │ │ │ ├── InMemoryTokenHolder.java │ │ │ │ │ └── PageTokenValue.java │ │ │ └── transferobject │ │ │ │ └── TokenTO.java │ │ │ └── util │ │ │ ├── BrowserEncoder.java │ │ │ ├── ConvertUtil.java │ │ │ ├── CsrfGuardPropertiesToStringBuilder.java │ │ │ ├── CsrfGuardUtils.java │ │ │ ├── MessageConstants.java │ │ │ ├── RandomGenerator.java │ │ │ └── RegexValidationUtil.java │ └── resources │ │ ├── .babelrc │ │ ├── .gitignore │ │ ├── csrfguard.js │ │ ├── csrfguard.min.js │ │ ├── csrfguard.properties │ │ ├── license.txt │ │ ├── package-lock.json │ │ ├── package.json │ │ └── webpack.config.js │ └── test │ └── java │ └── org │ └── owasp │ └── csrfguard │ ├── CsrfValidatorTest.java │ ├── MandatoryProperties.java │ ├── config │ ├── PropertiesConfigurationProviderTest.java │ └── dummy │ │ ├── DummyAction.java │ │ └── DummyLogicalSessionExtractor.java │ ├── token │ └── transferobject │ │ └── TokenTOTest.java │ └── util │ └── RandomGeneratorTest.java ├── index.md ├── info.md ├── leaders.md ├── pom.xml ├── readme.md ├── tab_features.md ├── tab_screenshots.md └── tab_supporters.md /.gitattributes: -------------------------------------------------------------------------------- 1 | # Auto detect text files and perform LF normalization 2 | * text=auto 3 | 4 | # Custom for Visual Studio 5 | *.cs diff=csharp 6 | *.sln merge=union 7 | *.csproj merge=union 8 | *.vbproj merge=union 9 | *.fsproj merge=union 10 | *.dbproj merge=union 11 | 12 | # Standard to msysgit 13 | *.doc diff=astextplain 14 | *.DOC diff=astextplain 15 | *.docx diff=astextplain 16 | *.DOCX diff=astextplain 17 | *.dot diff=astextplain 18 | *.DOT diff=astextplain 19 | *.pdf diff=astextplain 20 | *.PDF diff=astextplain 21 | *.rtf diff=astextplain 22 | *.RTF diff=astextplain 23 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/bug_report.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Bug report 3 | about: Create a report to help us improve 4 | title: '' 5 | labels: '' 6 | assignees: '' 7 | 8 | --- 9 | 10 | **Describe the bug** 11 | A clear and concise description of what the bug is. 12 | 13 | **To Reproduce** 14 | Steps to reproduce the behavior: 15 | 1. Go to '...' 16 | 2. Click on '....' 17 | 3. Scroll down to '....' 18 | 4. See error 19 | 20 | **Expected behavior** 21 | A clear and concise description of what you expected to happen. 22 | 23 | **Screenshots** 24 | If applicable, add screenshots to help explain your problem. 25 | 26 | **Desktop (please complete the following information):** 27 | - OS: [e.g. iOS] 28 | - Browser [e.g. chrome, safari] 29 | - Version [e.g. 22] 30 | 31 | **Smartphone (please complete the following information):** 32 | - Device: [e.g. iPhone6] 33 | - OS: [e.g. iOS8.1] 34 | - Browser [e.g. stock browser, safari] 35 | - Version [e.g. 22] 36 | 37 | **Additional context** 38 | Add any other context about the problem here. 39 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/feature_request.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Feature request 3 | about: Suggest an idea for this project 4 | title: '' 5 | labels: '' 6 | assignees: '' 7 | 8 | --- 9 | 10 | **Is your feature request related to a problem? Please describe.** 11 | A clear and concise description of what the problem is. Ex. I'm always frustrated when [...] 12 | 13 | **Describe the solution you'd like** 14 | A clear and concise description of what you want to happen. 15 | 16 | **Describe alternatives you've considered** 17 | A clear and concise description of any alternative solutions or features you've considered. 18 | 19 | **Additional context** 20 | Add any other context or screenshots about the feature request here. 21 | -------------------------------------------------------------------------------- /.github/dependabot.yml: -------------------------------------------------------------------------------- 1 | version: 2 2 | 3 | updates: 4 | - package-ecosystem: maven 5 | directory: / 6 | schedule: 7 | interval: daily -------------------------------------------------------------------------------- /.github/workflows/ci.yaml: -------------------------------------------------------------------------------- 1 | name: Java CI 2 | 3 | on: 4 | push: 5 | pull_request: 6 | workflow_dispatch: 7 | 8 | jobs: 9 | build: 10 | runs-on: ubuntu-latest 11 | 12 | steps: 13 | - uses: actions/checkout@v4 14 | 15 | - name: Build with Maven 16 | run: mvn --batch-mode --update-snapshots verify 17 | 18 | - name: 'Upload Artifact' 19 | if: github.event_name == 'workflow_dispatch' 20 | uses: actions/upload-artifact@v4 21 | with: 22 | name: csrfguard-latest-test-application 23 | path: | 24 | csrfguard-test/csrfguard-test-jsp/csrfguard-test-jsp-*SNAPSHOT.war 25 | csrfguard-test/csrfguard-test-jsp/csrfguard-test-jsp-*SNAPSHOT-executable.jar 26 | retention-days: 3 -------------------------------------------------------------------------------- /.github/workflows/dependency_check.yaml: -------------------------------------------------------------------------------- 1 | name: OWASP Dependency Check 2 | 3 | on: 4 | push: 5 | workflow_dispatch: 6 | schedule: 7 | - cron: '0 10 * * 1' 8 | 9 | jobs: 10 | owasp-dependency-check: 11 | runs-on: ubuntu-latest 12 | 13 | steps: 14 | - uses: actions/checkout@v4 15 | 16 | - name: OWASP Dependency Check 17 | run: mvn clean --batch-mode --update-snapshots verify -Pdependency-check 18 | 19 | - name: Upload Test results 20 | uses: actions/upload-artifact@v4 21 | with: 22 | name: OWASP Dependency Check report 23 | path: target -------------------------------------------------------------------------------- /.github/workflows/snyk.yaml: -------------------------------------------------------------------------------- 1 | name: Snyk Dependency Analysis 2 | on: 3 | workflow_dispatch: 4 | schedule: 5 | - cron: '0 10 * * 1' 6 | 7 | jobs: 8 | snyk-dependency-analysis: 9 | runs-on: ubuntu-latest 10 | steps: 11 | - uses: actions/checkout@v4 12 | 13 | - name: Run Snyk to check for vulnerabilities 14 | uses: snyk/actions/maven@master 15 | continue-on-error: true 16 | env: 17 | SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} 18 | with: 19 | command: test --package-manager=maven --file=pom.xml --severity-threshold=medium --maven-aggregate-project --sarif-file-output=snyk.sarif 20 | 21 | - name: Upload result to GitHub Code Scanning 22 | uses: github/codeql-action/upload-sarif@v3 23 | with: 24 | sarif_file: snyk.sarif -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | ## Directory-based project format: 2 | .idea/ 3 | !.idea/copyright 4 | !.idea/dataSources.xml 5 | 6 | ## File-based project format: 7 | *.ipr 8 | *.iws 9 | *.iml 10 | 11 | # Output directories 12 | target/ 13 | /build/ 14 | /dist/ 15 | bin/ 16 | *.class 17 | 18 | # Eclipse metadata 19 | .metadata 20 | .project 21 | .recommenders 22 | .settings 23 | .classpath 24 | .loadpath 25 | 26 | # NetBeans specific 27 | nbproject/private/ 28 | build/ 29 | nbbuild/ 30 | dist/ 31 | nbdist/ 32 | nbactions.xml 33 | nb-configuration.xml 34 | 35 | # SonarGraph metadata 36 | *.sonargraph 37 | 38 | # Overlays 39 | *overlays/ 40 | 41 | # MacOS files 42 | .DS_Store 43 | .DS_Store? 44 | ._* 45 | .Spotlight-V100 46 | .Trashes 47 | ehthumbs.db 48 | Thumbs.db 49 | _site/ 50 | -------------------------------------------------------------------------------- /404.html: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | title: 404 - Not Found 4 | layout: col-generic 5 | 6 | --- 7 | 8 |
9 |

10 |

WHOA THAT PAGE CANNOT BE FOUND

11 |

Try the SEARCH function in the main navigation to find something. If you are looking for chapter information, please see Chapters for the correct chapter. For information about OWASP projects see Projects. For common attacks, vulnerabilities, or information about other community-led contributions see Contributed Content.

12 | 13 |
14 |

If all else fails you can search our historical site.

15 |
16 | -------------------------------------------------------------------------------- /Gemfile: -------------------------------------------------------------------------------- 1 | source 'https://rubygems.org' 2 | group :jekyll_plugins do 3 | gem "github-pages" 4 | end 5 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | BSD 3-Clause License 2 | 3 | Copyright (c) 2011, Eric Sheridan 4 | All rights reserved. 5 | 6 | Redistribution and use in source and binary forms, with or without 7 | modification, are permitted provided that the following conditions are met: 8 | 9 | 1. Redistributions of source code must retain the above copyright notice, this 10 | list of conditions and the following disclaimer. 11 | 12 | 2. Redistributions in binary form must reproduce the above copyright notice, 13 | this list of conditions and the following disclaimer in the documentation 14 | and/or other materials provided with the distribution. 15 | 16 | 3. Neither the name of the copyright holder nor the names of its 17 | contributors may be used to endorse or promote products derived from 18 | this software without specific prior written permission. 19 | 20 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 21 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 23 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 24 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 26 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 27 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 28 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 29 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 30 | -------------------------------------------------------------------------------- /_config.yml: -------------------------------------------------------------------------------- 1 | remote_theme: "owasp/www--site-theme@main" 2 | plugins: 3 | - jekyll-include-cache-0.2.0 4 | -------------------------------------------------------------------------------- /assets/images/README.md: -------------------------------------------------------------------------------- 1 | # placeholder 2 | 3 | Put images you wish to link to in this folder 4 | 5 | link would be in form /assets/images/ 6 | -------------------------------------------------------------------------------- /assets/images/csrfguard.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/www-project-csrfguard/cb951a1ae5c162e0f62d046348906e995b793775/assets/images/csrfguard.png -------------------------------------------------------------------------------- /assets/images/csrfguard_in_action.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/www-project-csrfguard/cb951a1ae5c162e0f62d046348906e995b793775/assets/images/csrfguard_in_action.png -------------------------------------------------------------------------------- /assets/images/mature_projects.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/www-project-csrfguard/cb951a1ae5c162e0f62d046348906e995b793775/assets/images/mature_projects.png -------------------------------------------------------------------------------- /assets/images/owasp_breakers_small.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/www-project-csrfguard/cb951a1ae5c162e0f62d046348906e995b793775/assets/images/owasp_breakers_small.png -------------------------------------------------------------------------------- /assets/images/owasp_builders_small.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/www-project-csrfguard/cb951a1ae5c162e0f62d046348906e995b793775/assets/images/owasp_builders_small.png -------------------------------------------------------------------------------- /assets/images/owasp_tool_project.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/www-project-csrfguard/cb951a1ae5c162e0f62d046348906e995b793775/assets/images/owasp_tool_project.png -------------------------------------------------------------------------------- /assets/images/what_is_csrf_attacks_1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/www-project-csrfguard/cb951a1ae5c162e0f62d046348906e995b793775/assets/images/what_is_csrf_attacks_1.png -------------------------------------------------------------------------------- /assets/images/what_is_csrf_attacks_2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/www-project-csrfguard/cb951a1ae5c162e0f62d046348906e995b793775/assets/images/what_is_csrf_attacks_2.png -------------------------------------------------------------------------------- /assets/images/what_is_csrf_attacks_3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/www-project-csrfguard/cb951a1ae5c162e0f62d046348906e995b793775/assets/images/what_is_csrf_attacks_3.png -------------------------------------------------------------------------------- /assets/images/what_is_csrf_attacks_4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/www-project-csrfguard/cb951a1ae5c162e0f62d046348906e995b793775/assets/images/what_is_csrf_attacks_4.png -------------------------------------------------------------------------------- /assets/images/what_is_csrf_attacks_5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/www-project-csrfguard/cb951a1ae5c162e0f62d046348906e995b793775/assets/images/what_is_csrf_attacks_5.png -------------------------------------------------------------------------------- /assets/images/what_is_csrf_attacks_6.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/www-project-csrfguard/cb951a1ae5c162e0f62d046348906e995b793775/assets/images/what_is_csrf_attacks_6.png -------------------------------------------------------------------------------- /assets/images/what_is_csrf_attacks_7.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/www-project-csrfguard/cb951a1ae5c162e0f62d046348906e995b793775/assets/images/what_is_csrf_attacks_7.png -------------------------------------------------------------------------------- /csrfguard-extensions/csrfguard-extension-session/pom.xml: -------------------------------------------------------------------------------- 1 | 2 | 30 | 31 | 32 | 4.0.0 33 | 34 | 35 | org.owasp 36 | csrfguard-extensions 37 | 4.5.1-SNAPSHOT 38 | 39 | 40 | csrfguard-extension-session 41 | 42 | OWASP CSRFGuard Session extension 43 | Provides support for stateful, HTTP session based integrator applications 44 | 45 | 46 | 47 | ${project.groupId} 48 | csrfguard 49 | 50 | 51 | 52 | javax.servlet 53 | servlet-api 54 | 55 | 56 | -------------------------------------------------------------------------------- /csrfguard-extensions/csrfguard-extension-session/src/main/java/org/owasp/csrfguard/CsrfGuardHttpSessionListener.java: -------------------------------------------------------------------------------- 1 | /* 2 | * The OWASP CSRFGuard Project, BSD License 3 | * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com) 4 | * All rights reserved. 5 | * 6 | * Redistribution and use in source and binary forms, with or without 7 | * modification, are permitted provided that the following conditions are met: 8 | * 9 | * 1. Redistributions of source code must retain the above copyright notice, 10 | * this list of conditions and the following disclaimer. 11 | * 2. Redistributions in binary form must reproduce the above copyright 12 | * notice, this list of conditions and the following disclaimer in the 13 | * documentation and/or other materials provided with the distribution. 14 | * 3. Neither the name of OWASP nor the names of its contributors may be used 15 | * to endorse or promote products derived from this software without specific 16 | * prior written permission. 17 | * 18 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 19 | * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21 | * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 22 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | package org.owasp.csrfguard; 31 | 32 | import org.owasp.csrfguard.session.ContainerSession; 33 | import org.owasp.csrfguard.session.LogicalSession; 34 | 35 | import javax.servlet.http.HttpSession; 36 | import javax.servlet.http.HttpSessionEvent; 37 | import javax.servlet.http.HttpSessionListener; 38 | 39 | public class CsrfGuardHttpSessionListener implements HttpSessionListener { 40 | 41 | @Override 42 | public void sessionCreated(final HttpSessionEvent event) { 43 | final HttpSession session = event.getSession(); 44 | final LogicalSession logicalSession = new ContainerSession(session); 45 | CsrfGuard.getInstance().onSessionCreated(logicalSession); 46 | } 47 | 48 | @Override 49 | public void sessionDestroyed(final HttpSessionEvent event) { 50 | final HttpSession session = event.getSession(); 51 | final LogicalSession logicalSession = new ContainerSession(session); 52 | CsrfGuard.getInstance().onSessionDestroyed(logicalSession); 53 | } 54 | } 55 | -------------------------------------------------------------------------------- /csrfguard-extensions/csrfguard-extension-session/src/main/java/org/owasp/csrfguard/action/SessionAttribute.java: -------------------------------------------------------------------------------- 1 | /* 2 | * The OWASP CSRFGuard Project, BSD License 3 | * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com) 4 | * All rights reserved. 5 | * 6 | * Redistribution and use in source and binary forms, with or without 7 | * modification, are permitted provided that the following conditions are met: 8 | * 9 | * 1. Redistributions of source code must retain the above copyright notice, 10 | * this list of conditions and the following disclaimer. 11 | * 2. Redistributions in binary form must reproduce the above copyright 12 | * notice, this list of conditions and the following disclaimer in the 13 | * documentation and/or other materials provided with the distribution. 14 | * 3. Neither the name of OWASP nor the names of its contributors may be used 15 | * to endorse or promote products derived from this software without specific 16 | * prior written permission. 17 | * 18 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 19 | * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21 | * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 22 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | package org.owasp.csrfguard.action; 31 | 32 | import org.owasp.csrfguard.CsrfGuard; 33 | import org.owasp.csrfguard.CsrfGuardException; 34 | import org.owasp.csrfguard.config.properties.ConfigParameters; 35 | import org.owasp.csrfguard.session.LogicalSession; 36 | 37 | import javax.servlet.http.HttpServletRequest; 38 | import javax.servlet.http.HttpServletResponse; 39 | import java.util.Objects; 40 | 41 | /** 42 | * Saves the thrown CsrfGuardException object after a token validation to the session, bound to the attribute name extracted from the properties file. 43 | */ 44 | public final class SessionAttribute extends AbstractAction { 45 | 46 | private static final long serialVersionUID = 1367492926060283228L; 47 | 48 | @Override 49 | public void execute(final HttpServletRequest request, final HttpServletResponse response, final CsrfGuardException csrfGuardException, final CsrfGuard csrfGuard) { 50 | final String attributeName = getParameter(ConfigParameters.ACTION_ATTRIBUTE_NAME); 51 | 52 | final LogicalSession logicalSession = CsrfGuard.getInstance().getLogicalSessionExtractor().extract(request); 53 | 54 | if (Objects.nonNull(logicalSession)) { 55 | logicalSession.setAttribute(attributeName, csrfGuardException); 56 | } 57 | } 58 | } 59 | -------------------------------------------------------------------------------- /csrfguard-extensions/csrfguard-extension-session/src/main/java/org/owasp/csrfguard/session/ContainerSession.java: -------------------------------------------------------------------------------- 1 | /* 2 | * The OWASP CSRFGuard Project, BSD License 3 | * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com) 4 | * All rights reserved. 5 | * 6 | * Redistribution and use in source and binary forms, with or without 7 | * modification, are permitted provided that the following conditions are met: 8 | * 9 | * 1. Redistributions of source code must retain the above copyright notice, 10 | * this list of conditions and the following disclaimer. 11 | * 2. Redistributions in binary form must reproduce the above copyright 12 | * notice, this list of conditions and the following disclaimer in the 13 | * documentation and/or other materials provided with the distribution. 14 | * 3. Neither the name of OWASP nor the names of its contributors may be used 15 | * to endorse or promote products derived from this software without specific 16 | * prior written permission. 17 | * 18 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 19 | * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21 | * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 22 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | package org.owasp.csrfguard.session; 30 | 31 | import javax.servlet.http.HttpSession; 32 | import java.util.Objects; 33 | 34 | public class ContainerSession implements LogicalSession { 35 | 36 | private final HttpSession httpSession; 37 | private boolean areTokensGenerated; 38 | 39 | public ContainerSession(final HttpSession httpSession) { 40 | this.httpSession = httpSession; 41 | } 42 | 43 | @Override 44 | public String getKey() { 45 | return this.httpSession.getId(); 46 | } 47 | 48 | @Override 49 | public boolean isNew() { 50 | return Objects.nonNull(this.httpSession) && this.httpSession.isNew(); 51 | } 52 | 53 | @Override 54 | public void invalidate() { 55 | if (Objects.nonNull(this.httpSession)) { 56 | this.httpSession.invalidate(); 57 | } 58 | } 59 | 60 | @Override 61 | public boolean areTokensGenerated() { 62 | return this.areTokensGenerated; 63 | } 64 | 65 | @Override 66 | public void setTokensGenerated(final boolean areTokensGenerated) { 67 | this.areTokensGenerated = areTokensGenerated; 68 | } 69 | 70 | @Override 71 | public void setAttribute(final String name, final Object value) { 72 | this.httpSession.setAttribute(name, value); 73 | } 74 | 75 | @Override 76 | public Object getAttribute(final String attributeName) { 77 | return this.httpSession.getAttribute(attributeName); 78 | } 79 | } 80 | -------------------------------------------------------------------------------- /csrfguard-extensions/csrfguard-extension-session/src/main/java/org/owasp/csrfguard/session/SessionTokenKeyExtractor.java: -------------------------------------------------------------------------------- 1 | /* 2 | * The OWASP CSRFGuard Project, BSD License 3 | * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com) 4 | * All rights reserved. 5 | * 6 | * Redistribution and use in source and binary forms, with or without 7 | * modification, are permitted provided that the following conditions are met: 8 | * 9 | * 1. Redistributions of source code must retain the above copyright notice, 10 | * this list of conditions and the following disclaimer. 11 | * 2. Redistributions in binary form must reproduce the above copyright 12 | * notice, this list of conditions and the following disclaimer in the 13 | * documentation and/or other materials provided with the distribution. 14 | * 3. Neither the name of OWASP nor the names of its contributors may be used 15 | * to endorse or promote products derived from this software without specific 16 | * prior written permission. 17 | * 18 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 19 | * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21 | * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 22 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | package org.owasp.csrfguard.session; 30 | 31 | import org.owasp.csrfguard.token.storage.LogicalSessionExtractor; 32 | 33 | import javax.servlet.http.HttpServletRequest; 34 | import javax.servlet.http.HttpSession; 35 | import java.util.Objects; 36 | 37 | public class SessionTokenKeyExtractor implements LogicalSessionExtractor { 38 | 39 | /** 40 | * @param httpServletRequest the current HTTP servlet request 41 | * @return a wrapped container session implementation if a session exists, null otherwise 42 | */ 43 | @Override 44 | public LogicalSession extract(final HttpServletRequest httpServletRequest) { 45 | return extractOrCreate(httpServletRequest, false); 46 | } 47 | 48 | @Override 49 | public LogicalSession extractOrCreate(final HttpServletRequest httpServletRequest) { 50 | return extractOrCreate(httpServletRequest, true); 51 | } 52 | 53 | private LogicalSession extractOrCreate(final HttpServletRequest httpServletRequest, final boolean create) { 54 | final HttpSession session = httpServletRequest.getSession(create); 55 | 56 | return Objects.isNull(session) ? null : new ContainerSession(session); 57 | } 58 | } 59 | -------------------------------------------------------------------------------- /csrfguard-extensions/csrfguard-jsp-tags/pom.xml: -------------------------------------------------------------------------------- 1 | 2 | 30 | 31 | 32 | 4.0.0 33 | 34 | 35 | org.owasp 36 | csrfguard-extensions 37 | 4.5.1-SNAPSHOT 38 | 39 | 40 | csrfguard-jsp-tags 41 | 42 | OWASP CSRFGuard JSP Tags extension 43 | JSP Tag support 44 | 45 | 46 | 47 | 48 | src/main/resources 49 | 50 | **/*.tld 51 | 52 | true 53 | 54 | 55 | 56 | 57 | 58 | 59 | ${project.groupId} 60 | csrfguard 61 | 62 | 63 | 64 | javax.servlet 65 | servlet-api 66 | 67 | 68 | javax.servlet.jsp 69 | jsp-api 70 | 71 | 72 | javax.servlet.jsp.jstl 73 | jstl-api 74 | 75 | 76 | -------------------------------------------------------------------------------- /csrfguard-extensions/csrfguard-jsp-tags/src/main/java/org/owasp/csrfguard/tag/ATag.java: -------------------------------------------------------------------------------- 1 | /* 2 | * The OWASP CSRFGuard Project, BSD License 3 | * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com) 4 | * All rights reserved. 5 | * 6 | * Redistribution and use in source and binary forms, with or without 7 | * modification, are permitted provided that the following conditions are met: 8 | * 9 | * 1. Redistributions of source code must retain the above copyright notice, 10 | * this list of conditions and the following disclaimer. 11 | * 2. Redistributions in binary form must reproduce the above copyright 12 | * notice, this list of conditions and the following disclaimer in the 13 | * documentation and/or other materials provided with the distribution. 14 | * 3. Neither the name of OWASP nor the names of its contributors may be used 15 | * to endorse or promote products derived from this software without specific 16 | * prior written permission. 17 | * 18 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 19 | * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21 | * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 22 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | package org.owasp.csrfguard.tag; 31 | 32 | import org.owasp.csrfguard.CsrfGuard; 33 | import org.owasp.csrfguard.session.LogicalSession; 34 | import org.owasp.csrfguard.util.BrowserEncoder; 35 | 36 | import javax.servlet.http.HttpServletRequest; 37 | import javax.servlet.jsp.tagext.DynamicAttributes; 38 | import java.io.IOException; 39 | import java.util.HashMap; 40 | import java.util.Map; 41 | import java.util.Objects; 42 | 43 | public final class ATag extends AbstractUriTag implements DynamicAttributes { 44 | 45 | private final static long serialVersionUID = 0x00202937; 46 | 47 | private final Map attributes = new HashMap<>(); 48 | 49 | @Override 50 | public int doStartTag() { 51 | final CsrfGuard csrfGuard = CsrfGuard.getInstance(); 52 | final String tokenName = csrfGuard.getTokenName(); 53 | 54 | final LogicalSession logicalSession = csrfGuard.getLogicalSessionExtractor().extract((HttpServletRequest) this.pageContext.getRequest()); 55 | final String tokenValue = Objects.nonNull(logicalSession) ? csrfGuard.getTokenService().getTokenValue(logicalSession.getKey(), buildUri(this.attributes.get("href"))) : null; 56 | 57 | try { 58 | this.pageContext.getOut().write(buildStartHtml(tokenName, tokenValue)); 59 | } catch (final IOException e) { 60 | this.pageContext.getServletContext().log(e.getLocalizedMessage(), e); 61 | } 62 | 63 | return EVAL_BODY_INCLUDE; 64 | } 65 | 66 | @Override 67 | public int doEndTag() { 68 | try { 69 | this.pageContext.getOut().write(""); 70 | } catch (final IOException e) { 71 | this.pageContext.getServletContext().log(e.getLocalizedMessage(), e); 72 | } 73 | 74 | return EVAL_PAGE; 75 | } 76 | 77 | @Override 78 | public void setDynamicAttribute(final String arg0, final String arg1, final Object arg2) { 79 | this.attributes.put(arg1.toLowerCase(), String.valueOf(arg2)); 80 | } 81 | 82 | private String buildStartHtml(final String tokenName, final String tokenValue) { 83 | final StringBuilder sb = new StringBuilder(); 84 | 85 | sb.append("'); 112 | 113 | return sb.toString(); 114 | } 115 | } 116 | -------------------------------------------------------------------------------- /csrfguard-extensions/csrfguard-jsp-tags/src/main/java/org/owasp/csrfguard/tag/AbstractTag.java: -------------------------------------------------------------------------------- 1 | /* 2 | * The OWASP CSRFGuard Project, BSD License 3 | * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com) 4 | * All rights reserved. 5 | * 6 | * Redistribution and use in source and binary forms, with or without 7 | * modification, are permitted provided that the following conditions are met: 8 | * 9 | * 1. Redistributions of source code must retain the above copyright notice, 10 | * this list of conditions and the following disclaimer. 11 | * 2. Redistributions in binary form must reproduce the above copyright 12 | * notice, this list of conditions and the following disclaimer in the 13 | * documentation and/or other materials provided with the distribution. 14 | * 3. Neither the name of OWASP nor the names of its contributors may be used 15 | * to endorse or promote products derived from this software without specific 16 | * prior written permission. 17 | * 18 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 19 | * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21 | * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 22 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | package org.owasp.csrfguard.tag; 31 | 32 | import org.owasp.csrfguard.CsrfValidator; 33 | import org.owasp.csrfguard.ProtectionResult; 34 | 35 | import javax.servlet.jsp.tagext.TagSupport; 36 | 37 | public abstract class AbstractTag extends TagSupport { 38 | 39 | private final static long serialVersionUID = 0xadede854; 40 | 41 | public String buildUri(final String uri) { 42 | return calculateExtendedPageDescriptorUri(normalizeUri(uri)); 43 | } 44 | 45 | /** 46 | * @param normalizedUri the current normalizedUri 47 | * @return if the protected/un-protected page descriptors were defined using wildcards or regexes, this method 48 | * will return the extended page descriptor definition of the normalizedUri, otherwise returns itself 49 | */ 50 | private String calculateExtendedPageDescriptorUri(final String normalizedUri) { 51 | final ProtectionResult protectionResult = new CsrfValidator().isProtectedPage(normalizedUri); 52 | 53 | return protectionResult.isProtected() ? protectionResult.getResourceIdentifier() 54 | : normalizedUri; 55 | } 56 | 57 | private String normalizeUri(final String uri) { 58 | return uri.startsWith("/") ? uri 59 | : this.pageContext.getServletContext().getContextPath() + '/' + uri; 60 | } 61 | } 62 | -------------------------------------------------------------------------------- /csrfguard-extensions/csrfguard-jsp-tags/src/main/java/org/owasp/csrfguard/tag/AbstractUriTag.java: -------------------------------------------------------------------------------- 1 | /* 2 | * The OWASP CSRFGuard Project, BSD License 3 | * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com) 4 | * All rights reserved. 5 | * 6 | * Redistribution and use in source and binary forms, with or without 7 | * modification, are permitted provided that the following conditions are met: 8 | * 9 | * 1. Redistributions of source code must retain the above copyright notice, 10 | * this list of conditions and the following disclaimer. 11 | * 2. Redistributions in binary form must reproduce the above copyright 12 | * notice, this list of conditions and the following disclaimer in the 13 | * documentation and/or other materials provided with the distribution. 14 | * 3. Neither the name of OWASP nor the names of its contributors may be used 15 | * to endorse or promote products derived from this software without specific 16 | * prior written permission. 17 | * 18 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 19 | * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21 | * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 22 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | package org.owasp.csrfguard.tag; 31 | 32 | public abstract class AbstractUriTag extends AbstractTag { 33 | 34 | private final static long serialVersionUID = 0xabe784d9; 35 | 36 | private String uri = null; 37 | 38 | public String getUri() { 39 | return this.uri; 40 | } 41 | 42 | public void setUri(final String uri) { 43 | this.uri = buildUri(uri); 44 | } 45 | } 46 | -------------------------------------------------------------------------------- /csrfguard-extensions/csrfguard-jsp-tags/src/main/java/org/owasp/csrfguard/tag/FormTag.java: -------------------------------------------------------------------------------- 1 | /* 2 | * The OWASP CSRFGuard Project, BSD License 3 | * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com) 4 | * All rights reserved. 5 | * 6 | * Redistribution and use in source and binary forms, with or without 7 | * modification, are permitted provided that the following conditions are met: 8 | * 9 | * 1. Redistributions of source code must retain the above copyright notice, 10 | * this list of conditions and the following disclaimer. 11 | * 2. Redistributions in binary form must reproduce the above copyright 12 | * notice, this list of conditions and the following disclaimer in the 13 | * documentation and/or other materials provided with the distribution. 14 | * 3. Neither the name of OWASP nor the names of its contributors may be used 15 | * to endorse or promote products derived from this software without specific 16 | * prior written permission. 17 | * 18 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 19 | * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21 | * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 22 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | package org.owasp.csrfguard.tag; 31 | 32 | import org.owasp.csrfguard.CsrfGuard; 33 | import org.owasp.csrfguard.session.LogicalSession; 34 | import org.owasp.csrfguard.util.BrowserEncoder; 35 | 36 | import javax.servlet.http.HttpServletRequest; 37 | import javax.servlet.jsp.JspException; 38 | import javax.servlet.jsp.tagext.DynamicAttributes; 39 | import java.io.IOException; 40 | import java.util.HashMap; 41 | import java.util.Map; 42 | import java.util.Objects; 43 | 44 | public final class FormTag extends AbstractUriTag implements DynamicAttributes { 45 | 46 | private final static long serialVersionUID = 0xbefee742; 47 | 48 | private final Map attributes = new HashMap<>(); 49 | 50 | @Override 51 | public int doStartTag() { 52 | final CsrfGuard csrfGuard = CsrfGuard.getInstance(); 53 | final String tokenName = csrfGuard.getTokenName(); 54 | 55 | final LogicalSession logicalSession = csrfGuard.getLogicalSessionExtractor().extract((HttpServletRequest) this.pageContext.getRequest()); 56 | final String tokenValue = Objects.nonNull(logicalSession) ? csrfGuard.getTokenService().getTokenValue(logicalSession.getKey(), buildUri(this.attributes.get("action"))) : null; 57 | 58 | try { 59 | this.pageContext.getOut().write(buildStartHtml(tokenName, tokenValue)); 60 | } catch (final IOException e) { 61 | this.pageContext.getServletContext().log(e.getLocalizedMessage(), e); 62 | } 63 | 64 | return EVAL_BODY_INCLUDE; 65 | } 66 | 67 | @Override 68 | public int doEndTag() { 69 | try { 70 | this.pageContext.getOut().write(""); 71 | } catch (final IOException e) { 72 | this.pageContext.getServletContext().log(e.getLocalizedMessage(), e); 73 | } 74 | 75 | return EVAL_PAGE; 76 | } 77 | 78 | @Override 79 | public void setDynamicAttribute(final String arg0, final String arg1, final Object arg2) throws JspException { 80 | this.attributes.put(arg1.toLowerCase(), String.valueOf(arg2)); 81 | } 82 | 83 | private String buildStartHtml(final String tokenName, final String tokenValue) { 84 | final StringBuilder sb = new StringBuilder(); 85 | 86 | sb.append("
'); 101 | sb.append(""); 107 | 108 | return sb.toString(); 109 | } 110 | } 111 | -------------------------------------------------------------------------------- /csrfguard-extensions/csrfguard-jsp-tags/src/main/java/org/owasp/csrfguard/tag/TokenNameTag.java: -------------------------------------------------------------------------------- 1 | /* 2 | * The OWASP CSRFGuard Project, BSD License 3 | * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com) 4 | * All rights reserved. 5 | * 6 | * Redistribution and use in source and binary forms, with or without 7 | * modification, are permitted provided that the following conditions are met: 8 | * 9 | * 1. Redistributions of source code must retain the above copyright notice, 10 | * this list of conditions and the following disclaimer. 11 | * 2. Redistributions in binary form must reproduce the above copyright 12 | * notice, this list of conditions and the following disclaimer in the 13 | * documentation and/or other materials provided with the distribution. 14 | * 3. Neither the name of OWASP nor the names of its contributors may be used 15 | * to endorse or promote products derived from this software without specific 16 | * prior written permission. 17 | * 18 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 19 | * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21 | * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 22 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | package org.owasp.csrfguard.tag; 31 | 32 | import org.owasp.csrfguard.CsrfGuard; 33 | 34 | import javax.servlet.jsp.tagext.TagSupport; 35 | import java.io.IOException; 36 | 37 | public final class TokenNameTag extends TagSupport { 38 | 39 | private final static long serialVersionUID = 0x54345451; 40 | 41 | @Override 42 | public int doStartTag() { 43 | final CsrfGuard csrfGuard = CsrfGuard.getInstance(); 44 | 45 | if (csrfGuard.isEnabled()) { 46 | try { 47 | final String tokenName = csrfGuard.getTokenName(); 48 | this.pageContext.getOut().write(tokenName); 49 | } catch (final IOException e) { 50 | this.pageContext.getServletContext().log(e.getLocalizedMessage(), e); 51 | } 52 | } 53 | return SKIP_BODY; 54 | } 55 | } 56 | -------------------------------------------------------------------------------- /csrfguard-extensions/csrfguard-jsp-tags/src/main/java/org/owasp/csrfguard/tag/TokenTag.java: -------------------------------------------------------------------------------- 1 | /* 2 | * The OWASP CSRFGuard Project, BSD License 3 | * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com) 4 | * All rights reserved. 5 | * 6 | * Redistribution and use in source and binary forms, with or without 7 | * modification, are permitted provided that the following conditions are met: 8 | * 9 | * 1. Redistributions of source code must retain the above copyright notice, 10 | * this list of conditions and the following disclaimer. 11 | * 2. Redistributions in binary form must reproduce the above copyright 12 | * notice, this list of conditions and the following disclaimer in the 13 | * documentation and/or other materials provided with the distribution. 14 | * 3. Neither the name of OWASP nor the names of its contributors may be used 15 | * to endorse or promote products derived from this software without specific 16 | * prior written permission. 17 | * 18 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 19 | * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21 | * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 22 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | package org.owasp.csrfguard.tag; 31 | 32 | import org.owasp.csrfguard.CsrfGuard; 33 | import org.owasp.csrfguard.session.LogicalSession; 34 | 35 | import javax.servlet.http.HttpServletRequest; 36 | import java.io.IOException; 37 | import java.util.Objects; 38 | 39 | public final class TokenTag extends AbstractUriTag { 40 | 41 | private final static long serialVersionUID = 0x12164baa; 42 | 43 | @Override 44 | public int doStartTag() { 45 | final CsrfGuard csrfGuard = CsrfGuard.getInstance(); 46 | 47 | if (csrfGuard.isEnabled()) { 48 | if (csrfGuard.isTokenPerPageEnabled() && Objects.isNull(getUri())) { 49 | throw new IllegalStateException("Must define 'uri' attribute when token per page is enabled"); 50 | } 51 | 52 | final LogicalSession logicalSession = csrfGuard.getLogicalSessionExtractor().extract((HttpServletRequest) this.pageContext.getRequest()); 53 | final String tokenValue = Objects.nonNull(logicalSession) ? csrfGuard.getTokenService().getTokenValue(logicalSession.getKey(), getUri()) : null; 54 | final String tokenName = csrfGuard.getTokenName(); 55 | 56 | try { 57 | this.pageContext.getOut().write(tokenName + '=' + tokenValue); 58 | } catch (final IOException e) { 59 | this.pageContext.getServletContext().log(e.getLocalizedMessage(), e); 60 | } 61 | } 62 | 63 | return SKIP_BODY; 64 | } 65 | } 66 | -------------------------------------------------------------------------------- /csrfguard-extensions/csrfguard-jsp-tags/src/main/java/org/owasp/csrfguard/tag/TokenValueTag.java: -------------------------------------------------------------------------------- 1 | /* 2 | * The OWASP CSRFGuard Project, BSD License 3 | * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com) 4 | * All rights reserved. 5 | * 6 | * Redistribution and use in source and binary forms, with or without 7 | * modification, are permitted provided that the following conditions are met: 8 | * 9 | * 1. Redistributions of source code must retain the above copyright notice, 10 | * this list of conditions and the following disclaimer. 11 | * 2. Redistributions in binary form must reproduce the above copyright 12 | * notice, this list of conditions and the following disclaimer in the 13 | * documentation and/or other materials provided with the distribution. 14 | * 3. Neither the name of OWASP nor the names of its contributors may be used 15 | * to endorse or promote products derived from this software without specific 16 | * prior written permission. 17 | * 18 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 19 | * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21 | * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 22 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | package org.owasp.csrfguard.tag; 31 | 32 | import org.owasp.csrfguard.CsrfGuard; 33 | import org.owasp.csrfguard.session.LogicalSession; 34 | 35 | import javax.servlet.http.HttpServletRequest; 36 | import java.io.IOException; 37 | import java.util.Objects; 38 | 39 | public final class TokenValueTag extends AbstractUriTag { 40 | 41 | private final static long serialVersionUID = 0xaaca46d3; 42 | 43 | @Override 44 | public int doStartTag() { 45 | final CsrfGuard csrfGuard = CsrfGuard.getInstance(); 46 | 47 | if (csrfGuard.isEnabled()) { 48 | if (csrfGuard.isTokenPerPageEnabled() && Objects.isNull(getUri())) { 49 | throw new IllegalStateException("Must define 'uri' attribute when token per page is enabled"); 50 | } 51 | 52 | final LogicalSession logicalSession = csrfGuard.getLogicalSessionExtractor().extract((HttpServletRequest) this.pageContext.getRequest()); 53 | final String tokenValue = Objects.nonNull(logicalSession) ? csrfGuard.getTokenService().getTokenValue(logicalSession.getKey(), getUri()) : null; 54 | 55 | try { 56 | this.pageContext.getOut().write(tokenValue); 57 | } catch (final IOException e) { 58 | this.pageContext.getServletContext().log(e.getLocalizedMessage(), e); 59 | } 60 | } 61 | 62 | return SKIP_BODY; 63 | } 64 | } 65 | -------------------------------------------------------------------------------- /csrfguard-extensions/csrfguard-jsp-tags/src/main/resources/META-INF/csrfguard.tld: -------------------------------------------------------------------------------- 1 | 2 | 30 | 31 | ${jstl.version} 32 | ${jsp-api.version} 33 | Owasp CsrfGuard Tag Library 34 | https://owasp.org/www-project-csrfguard/Owasp.CsrfGuard.tld 35 | 36 | token 37 | org.owasp.csrfguard.tag.TokenTag 38 | empty 39 | 40 | uri 41 | false 42 | true 43 | 44 | 45 | 46 | tokenname 47 | org.owasp.csrfguard.tag.TokenNameTag 48 | empty 49 | 50 | 51 | tokenvalue 52 | org.owasp.csrfguard.tag.TokenValueTag 53 | empty 54 | 55 | uri 56 | false 57 | true 58 | 59 | 60 | 61 | a 62 | org.owasp.csrfguard.tag.ATag 63 | true 64 | 65 | 66 | form 67 | org.owasp.csrfguard.tag.FormTag 68 | true 69 | 70 | 71 | -------------------------------------------------------------------------------- /csrfguard-extensions/pom.xml: -------------------------------------------------------------------------------- 1 | 2 | 30 | 31 | 32 | 4.0.0 33 | 34 | 35 | org.owasp 36 | csrfguard-parent 37 | 4.5.1-SNAPSHOT 38 | 39 | 40 | csrfguard-extensions 41 | pom 42 | 43 | OWASP CSRFGuard Extensions Parent POM 44 | Extension modules that might be required, depending on whether the architecture of the integrator application is stateful or stateless. 45 | 46 | 47 | csrfguard-extension-session 48 | csrfguard-jsp-tags 49 | 50 | 51 | 52 | 53 | 54 | ${project.groupId} 55 | csrfguard 56 | ${project.version} 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | org.apache.maven.plugins 65 | maven-source-plugin 66 | 67 | 68 | org.apache.maven.plugins 69 | maven-javadoc-plugin 70 | 71 | 72 | 73 | 74 | -------------------------------------------------------------------------------- /csrfguard-test/csrfguard-test-jsp/src/main/java/org/owasp/csrfguard/test/CORSFilter.java: -------------------------------------------------------------------------------- 1 | /* 2 | * The OWASP CSRFGuard Project, BSD License 3 | * Eric Sheridan (eric@infraredsecurity.com), Copyright (c) 2011 4 | * All rights reserved. 5 | * 6 | * Redistribution and use in source and binary forms, with or without 7 | * modification, are permitted provided that the following conditions are met: 8 | * 9 | * 1. Redistributions of source code must retain the above copyright notice, 10 | * this list of conditions and the following disclaimer. 11 | * 2. Redistributions in binary form must reproduce the above copyright 12 | * notice, this list of conditions and the following disclaimer in the 13 | * documentation and/or other materials provided with the distribution. 14 | * 3. Neither the name of OWASP nor the names of its contributors may be used 15 | * to endorse or promote products derived from this software without specific 16 | * prior written permission. 17 | * 18 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 19 | * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21 | * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 22 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | package org.owasp.csrfguard.test; 30 | 31 | import org.owasp.csrfguard.CsrfGuard; 32 | 33 | import javax.servlet.*; 34 | import javax.servlet.http.HttpServletResponse; 35 | import java.io.IOException; 36 | 37 | /** 38 | * Enables Cross-Origin Resource Sharing 39 | * Only for testing purposes. 40 | * Disabled by default through the web.xml 41 | */ 42 | public class CORSFilter implements Filter { 43 | 44 | @Override 45 | public void init(FilterConfig filterConfig) {} 46 | 47 | @Override 48 | public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException { 49 | { 50 | HttpServletResponse httpResponse = (HttpServletResponse) servletResponse; 51 | httpResponse.addHeader("Access-Control-Allow-Origin", "*"); 52 | 53 | // httpResponse.addHeader("Access-Control-Allow-Headers", "*"); 54 | httpResponse.addHeader("Access-Control-Allow-Headers", String.join(",", CsrfGuard.getInstance().getTokenName(), 55 | "X-Requested-With")); 56 | } 57 | 58 | { // Access-Control-Allow-Credentials cannot be set to true if the Access-Control-Allow-Origin is "*" 59 | // httpResponse.addHeader("Access-Control-Allow-Origin", "http://attacker.local:8080"); // sudo echo "127.0.0.1 attacker.local" >> /etc/hosts 60 | // httpResponse.addHeader("Access-Control-Allow-Credentials", Boolean.toString(true)); 61 | } 62 | 63 | filterChain.doFilter(servletRequest, servletResponse); 64 | } 65 | 66 | @Override 67 | public void destroy() {} 68 | } 69 | -------------------------------------------------------------------------------- /csrfguard-test/csrfguard-test-jsp/src/main/resources/logback.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | %d{HH:mm:ss.SSS} [%thread] %-5level %logger{36} - %m%n 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | %d{HH:mm:ss.SSS} %level [%thread] OWASP-CSRFGUARD - %replace(%m){'\r?\n','CRLF'}%n 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | -------------------------------------------------------------------------------- /csrfguard-test/csrfguard-test-jsp/src/main/webapp/WEB-INF/web.xml: -------------------------------------------------------------------------------- 1 | 2 | 7 | OWASP CSRFGuard Test 8 | 9 | 10 | index.html 11 | index.htm 12 | index.jsp 13 | default.html 14 | default.htm 15 | default.jsp 16 | 17 | 18 | 19 | org.owasp.csrfguard.CsrfGuardServletContextListener 20 | 21 | 22 | org.owasp.csrfguard.CsrfGuardHttpSessionListener 23 | 24 | 25 | 26 | CSRFGuard 27 | org.owasp.csrfguard.CsrfGuardFilter 28 | 29 | 30 | 31 | CSRFGuard 32 | /* 33 | 34 | 35 | 36 | JavaScriptServlet 37 | org.owasp.csrfguard.servlet.JavaScriptServlet 38 | 39 | inject-into-attributes 40 | true 41 | 42 | 43 | 44 | 45 | JavaScriptServlet 46 | /JavaScriptServlet 47 | 48 | 49 | 50 | CounterServlet 51 | CounterServlet 52 | org.owasp.csrfguard.test.CounterServlet 53 | 54 | 55 | 56 | CounterServlet 57 | /counter 58 | 59 | 60 | 68 | 69 | -------------------------------------------------------------------------------- /csrfguard-test/csrfguard-test-jsp/src/main/webapp/ajax.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | Ajax Header Verification 7 | 52 | 53 | 54 |

Test Link(s)

55 | 69 |
70 |

Test Form(s)

71 | 72 | 73 | 74 |
75 |

Dom Test

76 |
77 | 78 | -------------------------------------------------------------------------------- /csrfguard-test/csrfguard-test-jsp/src/main/webapp/attack1.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 10 | 25 |
26 | 27 |
28 | -------------------------------------------------------------------------------- /csrfguard-test/csrfguard-test-jsp/src/main/webapp/attack2.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 24 | -------------------------------------------------------------------------------- /csrfguard-test/csrfguard-test-jsp/src/main/webapp/counter.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | Counter test 7 | 38 | 39 | 40 |

Get or increment the counter:

41 |

If the counter can be externally incremented, it signals that there is a vulnerability in the solution.

42 | 43 | 44 |
45 | 46 | 47 |
48 |

49 |
50 | 51 | 52 | -------------------------------------------------------------------------------- /csrfguard-test/csrfguard-test-jsp/src/main/webapp/error.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | CSRF Attack Detected 6 | 7 | 8 | CSRF Attack Detected - Home 9 | 10 | 11 | -------------------------------------------------------------------------------- /csrfguard-test/csrfguard-test-jsp/src/main/webapp/favicon.ico: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/www-project-csrfguard/cb951a1ae5c162e0f62d046348906e995b793775/csrfguard-test/csrfguard-test-jsp/src/main/webapp/favicon.ico -------------------------------------------------------------------------------- /csrfguard-test/csrfguard-test-jsp/src/main/webapp/forward.jsp: -------------------------------------------------------------------------------- 1 | <%@ page language="java" contentType="text/html; charset=ISO-8859-1" pageEncoding="ISO-8859-1" %> 2 | 3 | 4 | 5 | 6 | Forward Test 7 | 8 | 9 | 10 | 11 | 12 | -------------------------------------------------------------------------------- /csrfguard-test/csrfguard-test-jsp/src/main/webapp/index.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | CSRFGuard Test Application 6 | 7 | 8 | Welcome to the OWASP CSRFGuard Test Application! Where would you like to go? 9 |
10 | Tests: 11 | 21 |
22 | 23 | Attempt CSRF attacks against the /counter endpoint:
24 |

Mimic hosting the exploits on a different domain:

25 | 30 |
31 | 32 | Utilities: 33 | 36 | 37 | 38 | -------------------------------------------------------------------------------- /csrfguard-test/csrfguard-test-jsp/src/main/webapp/javascript.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | JavaScript Token Injection 7 | 21 | 22 | 23 |

Test Link(s)

24 | 36 |
37 | 38 |

Test Form(s)

39 |
40 | 41 | 42 |
43 |

44 | 45 |

"Evil" Form(s)

46 |

Tokens should not be injected into links referencing different domains if the domainStrict property is set to true.

47 |
48 | 49 | 50 |
51 |

52 | 53 | 54 | -------------------------------------------------------------------------------- /csrfguard-test/csrfguard-test-jsp/src/main/webapp/legacySyncAjaxTest.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Page for testing legacy synchronous AJAX requests 6 | 7 | 8 | 9 |

Important note:

10 |

11 | The current approach of the OWASP CSRFGuard relies on JavaScript logic for injecting CSRF tokens into HTML elements or XHR requests. 12 | Forcing synchronous loading of the AJAX requests has been disabled, since they were 13 | deprecated 14 | due to their negative impact on the user experience. For this reason, protecting resources that would load 15 | before or in parallel with the JavaScript logic (e.g. references IFrames or IMG tags) is not possible. 16 | In most cases this should not be a problem, because usually GET requests should not facilitate state-changing operations. 17 | If this last condition cannot be fulfilled (e.g. for legacy applications), backwards compatibility can be achieved by enabling the 18 | "forceSynchronousAjax" property within the configurations, until there is browser support for it. 19 |

20 |

IFrame

21 |

Aims to test token injection for referenced protected pages that are loaded before user interaction.

22 | 23 |

24 | 25 |

Image Tag

26 |

Aims to test token injection for referenced protected pages that are loaded before user interaction.

27 | OWASP logo 28 | 29 | 30 | -------------------------------------------------------------------------------- /csrfguard-test/csrfguard-test-jsp/src/main/webapp/owasp_logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/www-project-csrfguard/cb951a1ae5c162e0f62d046348906e995b793775/csrfguard-test/csrfguard-test-jsp/src/main/webapp/owasp_logo.png -------------------------------------------------------------------------------- /csrfguard-test/csrfguard-test-jsp/src/main/webapp/protect.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Protect 6 | 7 | 8 | This is a resource that should be protected from CSRF attacks. 9 | 10 | 11 | -------------------------------------------------------------------------------- /csrfguard-test/csrfguard-test-jsp/src/main/webapp/redirect.jsp: -------------------------------------------------------------------------------- 1 | <%@ page language="java" contentType="text/html; charset=ISO-8859-1" pageEncoding="ISO-8859-1" %> 2 | 3 | 4 | 5 | 6 | Redirect Test 7 | 8 | 9 | <% 10 | response.sendRedirect("protect.html"); 11 | %> 12 | 13 | 14 | -------------------------------------------------------------------------------- /csrfguard-test/csrfguard-test-jsp/src/main/webapp/regextest/protected.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | This page is meant to test protected page setup with regular expressions. 6 | 7 | 8 | This page is meant to test protected page setup with regular expressions. 9 | 10 | -------------------------------------------------------------------------------- /csrfguard-test/csrfguard-test-jsp/src/main/webapp/regextest/protected.txt: -------------------------------------------------------------------------------- 1 | Everything under /regextest/ that starts with protected should be protected unless it's .txt 2 | 3 | see: isProtectEnabled() 4 | 5 | protected: 6 | ^/regextest/protected\..*$ 7 | ^/regextest/.*/protected\.html$ 8 | 9 | unprotected: 10 | ^/regextest/.*\.txt$ 11 | ^/regextest/.*/.*\.txt$ 12 | -------------------------------------------------------------------------------- /csrfguard-test/csrfguard-test-jsp/src/main/webapp/regextest/resources/protected.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | This page is meant to test protected page setup with regular expressions. 6 | 7 | 8 | This page is meant to test protected page setup with regular expressions. 9 | 10 | -------------------------------------------------------------------------------- /csrfguard-test/csrfguard-test-jsp/src/main/webapp/regextest/resources/protected.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/www-project-csrfguard/cb951a1ae5c162e0f62d046348906e995b793775/csrfguard-test/csrfguard-test-jsp/src/main/webapp/regextest/resources/protected.txt -------------------------------------------------------------------------------- /csrfguard-test/csrfguard-test-jsp/src/main/webapp/regextest/resources/unprotected.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | This page is meant to test un-protected page setup with regular expressions. 6 | 7 | 8 | This page is meant to test un-protected page setup with regular expressions. 9 | 10 | -------------------------------------------------------------------------------- /csrfguard-test/csrfguard-test-jsp/src/main/webapp/regextest/unprotected.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | This page is meant to test un-protected page setup with regular expressions. 6 | 7 | 8 | This page is meant to test un-protected page setup with regular expressions. 9 | 10 | -------------------------------------------------------------------------------- /csrfguard-test/csrfguard-test-jsp/src/main/webapp/session.jsp: -------------------------------------------------------------------------------- 1 | <%@ page language="java" contentType="text/html; charset=ISO-8859-1" pageEncoding="ISO-8859-1" %> 2 | 3 | 4 | 5 | 6 | Session Utilities 7 | 8 | 9 | <% 10 | final String action = request.getParameter("action"); 11 | 12 | if ("invalidate".equals(action)) { 13 | session.invalidate(); 14 | request.getSession(true); 15 | %>Session Invalidated!<% 16 | } 17 | %> 18 | 19 | 20 | -------------------------------------------------------------------------------- /csrfguard-test/csrfguard-test-jsp/src/main/webapp/tag.jsp: -------------------------------------------------------------------------------- 1 | <%@ page language="java" contentType="text/html; charset=UTF-8" pageEncoding="UTF-8"%> 2 | <%@ taglib uri="https://owasp.org/www-project-csrfguard/Owasp.CsrfGuard.tld" prefix="csrf" %> 3 | 4 | 5 | 6 | 7 | JSP Tag Token Injection 8 | 9 | 10 |

Test Link(s)

11 | 17 |
    18 |
  • protect.html
    • 19 |
  • /protect.html
    • 20 |
21 |
22 |

Test Form(s)

23 | Used token rotation is not supported with JSPs. 24 |
25 | 26 | 27 | "/> 28 |
29 | 30 | 31 | 32 | 33 | 34 | 35 | -------------------------------------------------------------------------------- /csrfguard-test/csrfguard-test-jsp/src/main/webapp/upload.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | File Upload Example 6 | 7 | 8 |
9 |
10 | 11 |
12 | 13 | 14 | 15 | 16 | -------------------------------------------------------------------------------- /csrfguard-test/csrfguard-test-jsp/src/main/webapp/wildcardtest/test.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | This page is meant to test protected page setup using wildcards. 6 | 7 | 8 | This page is meant to test protected page setup using wildcards. 9 | 10 | -------------------------------------------------------------------------------- /csrfguard-test/csrfguard-test-jsp/src/main/webapp/wildcardtest/test.txt: -------------------------------------------------------------------------------- 1 | everything under /regextest/ that starts with protected should be protected unless it's .txt 2 | 3 | see: isProtectEnabled() 4 | 5 | protected: 6 | ^/regextest/protected\..*$ 7 | ^/regextest/.*/protected\.html$ 8 | 9 | unprotected: 10 | ^/regextest/.*\.txt$ 11 | ^/regextest/.*/.*\.txt$ 12 | -------------------------------------------------------------------------------- /csrfguard-test/pom.xml: -------------------------------------------------------------------------------- 1 | 2 | 30 | 31 | 32 | 4.0.0 33 | 34 | 35 | org.owasp 36 | csrfguard-parent 37 | 4.5.1-SNAPSHOT 38 | 39 | 40 | csrfguard-test 41 | OWASP CSRFGuard Test Parent POM 42 | pom 43 | 44 | 45 | csrfguard-test-jsp 46 | 47 | 48 | 49 | 50 | 51 | ${project.groupId} 52 | csrfguard 53 | ${project.version} 54 | 55 | 56 | 57 | ${project.groupId} 58 | csrfguard-extension-session 59 | ${project.version} 60 | 61 | 62 | 63 | 64 | -------------------------------------------------------------------------------- /csrfguard/.gitignore: -------------------------------------------------------------------------------- 1 | /bin 2 | /target/ 3 | -------------------------------------------------------------------------------- /csrfguard/src/main/java/org/owasp/csrfguard/CsrfGuardException.java: -------------------------------------------------------------------------------- 1 | /* 2 | * The OWASP CSRFGuard Project, BSD License 3 | * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com) 4 | * All rights reserved. 5 | * 6 | * Redistribution and use in source and binary forms, with or without 7 | * modification, are permitted provided that the following conditions are met: 8 | * 9 | * 1. Redistributions of source code must retain the above copyright notice, 10 | * this list of conditions and the following disclaimer. 11 | * 2. Redistributions in binary form must reproduce the above copyright 12 | * notice, this list of conditions and the following disclaimer in the 13 | * documentation and/or other materials provided with the distribution. 14 | * 3. Neither the name of OWASP nor the names of its contributors may be used 15 | * to endorse or promote products derived from this software without specific 16 | * prior written permission. 17 | * 18 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 19 | * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21 | * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 22 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | package org.owasp.csrfguard; 31 | 32 | public class CsrfGuardException extends Exception { 33 | 34 | private static final long serialVersionUID = -4468336915273168914L; 35 | 36 | public CsrfGuardException(final String msg) { 37 | super(msg); 38 | } 39 | 40 | public CsrfGuardException(final Exception e) { 41 | super(e); 42 | } 43 | 44 | public CsrfGuardException(final String msg, final Exception e) { 45 | super(msg, e); 46 | } 47 | } 48 | -------------------------------------------------------------------------------- /csrfguard/src/main/java/org/owasp/csrfguard/ProtectionResult.java: -------------------------------------------------------------------------------- 1 | /* 2 | * The OWASP CSRFGuard Project, BSD License 3 | * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com) 4 | * All rights reserved. 5 | * 6 | * Redistribution and use in source and binary forms, with or without 7 | * modification, are permitted provided that the following conditions are met: 8 | * 9 | * 1. Redistributions of source code must retain the above copyright notice, 10 | * this list of conditions and the following disclaimer. 11 | * 2. Redistributions in binary form must reproduce the above copyright 12 | * notice, this list of conditions and the following disclaimer in the 13 | * documentation and/or other materials provided with the distribution. 14 | * 3. Neither the name of OWASP nor the names of its contributors may be used 15 | * to endorse or promote products derived from this software without specific 16 | * prior written permission. 17 | * 18 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 19 | * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21 | * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 22 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | package org.owasp.csrfguard; 30 | 31 | public class ProtectionResult { 32 | 33 | private final boolean isProtected; 34 | private final String resourceIdentifier; 35 | 36 | public ProtectionResult(final boolean isProtected, final String resourceIdentifier) { 37 | this.isProtected = isProtected; 38 | this.resourceIdentifier = resourceIdentifier; 39 | } 40 | 41 | public boolean isProtected() { 42 | return this.isProtected; 43 | } 44 | 45 | public String getResourceIdentifier() { 46 | return this.resourceIdentifier; 47 | } 48 | } 49 | -------------------------------------------------------------------------------- /csrfguard/src/main/java/org/owasp/csrfguard/action/AbstractAction.java: -------------------------------------------------------------------------------- 1 | /* 2 | * The OWASP CSRFGuard Project, BSD License 3 | * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com) 4 | * All rights reserved. 5 | * 6 | * Redistribution and use in source and binary forms, with or without 7 | * modification, are permitted provided that the following conditions are met: 8 | * 9 | * 1. Redistributions of source code must retain the above copyright notice, 10 | * this list of conditions and the following disclaimer. 11 | * 2. Redistributions in binary form must reproduce the above copyright 12 | * notice, this list of conditions and the following disclaimer in the 13 | * documentation and/or other materials provided with the distribution. 14 | * 3. Neither the name of OWASP nor the names of its contributors may be used 15 | * to endorse or promote products derived from this software without specific 16 | * prior written permission. 17 | * 18 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 19 | * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21 | * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 22 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | package org.owasp.csrfguard.action; 31 | 32 | import java.util.HashMap; 33 | import java.util.Map; 34 | 35 | public abstract class AbstractAction implements IAction { 36 | 37 | private static final long serialVersionUID = -1654117674049587348L; 38 | 39 | private String name = null; 40 | 41 | private final Map parameters = new HashMap<>(); 42 | 43 | @Override 44 | public void setName(final String name) { 45 | this.name = name; 46 | } 47 | 48 | @Override 49 | public String getName() { 50 | return this.name; 51 | } 52 | 53 | @Override 54 | public void setParameter(final String name, final String value) { 55 | this.parameters.put(name, value); 56 | } 57 | 58 | @Override 59 | public String getParameter(final String parameterName) { 60 | final String value = this.parameters.get(parameterName); 61 | 62 | if (value == null) { 63 | throw new RuntimeException(String.format("unable to locate expected parameter %s", parameterName)); 64 | } 65 | 66 | return value; 67 | } 68 | 69 | @Override 70 | public Map getParameterMap() { 71 | return this.parameters; 72 | } 73 | } 74 | -------------------------------------------------------------------------------- /csrfguard/src/main/java/org/owasp/csrfguard/action/Empty.java: -------------------------------------------------------------------------------- 1 | /* 2 | * The OWASP CSRFGuard Project, BSD License 3 | * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com) 4 | * All rights reserved. 5 | * 6 | * Redistribution and use in source and binary forms, with or without 7 | * modification, are permitted provided that the following conditions are met: 8 | * 9 | * 1. Redistributions of source code must retain the above copyright notice, 10 | * this list of conditions and the following disclaimer. 11 | * 2. Redistributions in binary form must reproduce the above copyright 12 | * notice, this list of conditions and the following disclaimer in the 13 | * documentation and/or other materials provided with the distribution. 14 | * 3. Neither the name of OWASP nor the names of its contributors may be used 15 | * to endorse or promote products derived from this software without specific 16 | * prior written permission. 17 | * 18 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 19 | * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21 | * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 22 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | package org.owasp.csrfguard.action; 31 | 32 | import org.owasp.csrfguard.CsrfGuard; 33 | import org.owasp.csrfguard.CsrfGuardException; 34 | 35 | import javax.servlet.http.HttpServletRequest; 36 | import javax.servlet.http.HttpServletResponse; 37 | 38 | /** 39 | * TODO document or why it is needed or remove this Action 40 | */ 41 | public final class Empty extends AbstractAction { 42 | 43 | private static final long serialVersionUID = 3530383602177340966L; 44 | 45 | @Override 46 | public void execute(final HttpServletRequest request, final HttpServletResponse response, final CsrfGuardException csrfGuardException, final CsrfGuard csrfGuard) throws CsrfGuardException { 47 | // nothing to do 48 | } 49 | } 50 | -------------------------------------------------------------------------------- /csrfguard/src/main/java/org/owasp/csrfguard/action/Error.java: -------------------------------------------------------------------------------- 1 | /* 2 | * The OWASP CSRFGuard Project, BSD License 3 | * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com) 4 | * All rights reserved. 5 | * 6 | * Redistribution and use in source and binary forms, with or without 7 | * modification, are permitted provided that the following conditions are met: 8 | * 9 | * 1. Redistributions of source code must retain the above copyright notice, 10 | * this list of conditions and the following disclaimer. 11 | * 2. Redistributions in binary form must reproduce the above copyright 12 | * notice, this list of conditions and the following disclaimer in the 13 | * documentation and/or other materials provided with the distribution. 14 | * 3. Neither the name of OWASP nor the names of its contributors may be used 15 | * to endorse or promote products derived from this software without specific 16 | * prior written permission. 17 | * 18 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 19 | * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21 | * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 22 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | package org.owasp.csrfguard.action; 31 | 32 | import org.owasp.csrfguard.CsrfGuard; 33 | import org.owasp.csrfguard.CsrfGuardException; 34 | 35 | import javax.servlet.http.HttpServletRequest; 36 | import javax.servlet.http.HttpServletResponse; 37 | import java.io.IOException; 38 | 39 | public final class Error extends AbstractAction { 40 | 41 | private static final long serialVersionUID = 5479074081984904252L; 42 | 43 | @Override 44 | public void execute(final HttpServletRequest request, final HttpServletResponse response, final CsrfGuardException csrfGuardException, final CsrfGuard csrfGuard) throws CsrfGuardException { 45 | try { 46 | final int code = Integer.parseInt(getParameter("Code")); 47 | final String message = getParameter("Message"); 48 | 49 | response.sendError(code, message); 50 | } catch (final NumberFormatException | IOException e) { 51 | throw new CsrfGuardException(e); 52 | } 53 | } 54 | } 55 | -------------------------------------------------------------------------------- /csrfguard/src/main/java/org/owasp/csrfguard/action/Forward.java: -------------------------------------------------------------------------------- 1 | /* 2 | * The OWASP CSRFGuard Project, BSD License 3 | * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com) 4 | * All rights reserved. 5 | * 6 | * Redistribution and use in source and binary forms, with or without 7 | * modification, are permitted provided that the following conditions are met: 8 | * 9 | * 1. Redistributions of source code must retain the above copyright notice, 10 | * this list of conditions and the following disclaimer. 11 | * 2. Redistributions in binary form must reproduce the above copyright 12 | * notice, this list of conditions and the following disclaimer in the 13 | * documentation and/or other materials provided with the distribution. 14 | * 3. Neither the name of OWASP nor the names of its contributors may be used 15 | * to endorse or promote products derived from this software without specific 16 | * prior written permission. 17 | * 18 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 19 | * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21 | * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 22 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | package org.owasp.csrfguard.action; 31 | 32 | import org.owasp.csrfguard.CsrfGuard; 33 | import org.owasp.csrfguard.CsrfGuardException; 34 | 35 | import javax.servlet.ServletException; 36 | import javax.servlet.http.HttpServletRequest; 37 | import javax.servlet.http.HttpServletResponse; 38 | import java.io.IOException; 39 | 40 | public final class Forward extends AbstractAction { 41 | 42 | private static final long serialVersionUID = -3727752206497452347L; 43 | 44 | @Override 45 | public void execute(final HttpServletRequest request, final HttpServletResponse response, final CsrfGuardException csrfGuardException, final CsrfGuard csrfGuard) throws CsrfGuardException { 46 | final String errorPage = getParameter("Page"); 47 | 48 | try { 49 | request.getRequestDispatcher(errorPage).forward(request, response); 50 | } catch (final IOException | ServletException e) { 51 | throw new CsrfGuardException(e); 52 | } 53 | } 54 | } 55 | -------------------------------------------------------------------------------- /csrfguard/src/main/java/org/owasp/csrfguard/action/IAction.java: -------------------------------------------------------------------------------- 1 | /* 2 | * The OWASP CSRFGuard Project, BSD License 3 | * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com) 4 | * All rights reserved. 5 | * 6 | * Redistribution and use in source and binary forms, with or without 7 | * modification, are permitted provided that the following conditions are met: 8 | * 9 | * 1. Redistributions of source code must retain the above copyright notice, 10 | * this list of conditions and the following disclaimer. 11 | * 2. Redistributions in binary form must reproduce the above copyright 12 | * notice, this list of conditions and the following disclaimer in the 13 | * documentation and/or other materials provided with the distribution. 14 | * 3. Neither the name of OWASP nor the names of its contributors may be used 15 | * to endorse or promote products derived from this software without specific 16 | * prior written permission. 17 | * 18 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 19 | * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21 | * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 22 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | package org.owasp.csrfguard.action; 31 | 32 | import org.owasp.csrfguard.CsrfGuard; 33 | import org.owasp.csrfguard.CsrfGuardException; 34 | 35 | import javax.servlet.http.HttpServletRequest; 36 | import javax.servlet.http.HttpServletResponse; 37 | import java.io.Serializable; 38 | import java.util.Map; 39 | 40 | /** 41 | * Interface enabling interaction with Actions, that are invoked in case of a potential CSRF attack 42 | */ 43 | public interface IAction extends Serializable { 44 | 45 | /** 46 | * Sets the name of the action 47 | * 48 | * @param name the name of the action 49 | */ 50 | void setName(String name); 51 | 52 | /** 53 | * @return the name of the action 54 | */ 55 | String getName(); 56 | 57 | /** 58 | * Sets a parameter with a custom name and value 59 | * 60 | * @param name the name of the parameter 61 | * @param value the value of the parameter 62 | */ 63 | void setParameter(String name, String value); 64 | 65 | /** 66 | * @param name the name of the parameter 67 | * @return the configured parameter based on its name 68 | */ 69 | String getParameter(String name); 70 | 71 | /** 72 | * @return the whole parameter map 73 | */ 74 | Map getParameterMap(); 75 | 76 | /** 77 | * Executes this action. 78 | * @param request the HTTP request that triggered a potential CSRF attack 79 | * @param response the HTTP response object associated with the potentially malicious HTTP request 80 | * @param csrfGuardException the CSRF Guard exception object 81 | * @param csrfGuard the main CSRF Guard object, with access to inner workings of the solution 82 | * 83 | * @throws CsrfGuardException the exception type thrown in case of a potential CSRF attack 84 | */ 85 | void execute(HttpServletRequest request, HttpServletResponse response, CsrfGuardException csrfGuardException, CsrfGuard csrfGuard) throws CsrfGuardException; 86 | } 87 | -------------------------------------------------------------------------------- /csrfguard/src/main/java/org/owasp/csrfguard/action/Invalidate.java: -------------------------------------------------------------------------------- 1 | /* 2 | * The OWASP CSRFGuard Project, BSD License 3 | * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com) 4 | * All rights reserved. 5 | * 6 | * Redistribution and use in source and binary forms, with or without 7 | * modification, are permitted provided that the following conditions are met: 8 | * 9 | * 1. Redistributions of source code must retain the above copyright notice, 10 | * this list of conditions and the following disclaimer. 11 | * 2. Redistributions in binary form must reproduce the above copyright 12 | * notice, this list of conditions and the following disclaimer in the 13 | * documentation and/or other materials provided with the distribution. 14 | * 3. Neither the name of OWASP nor the names of its contributors may be used 15 | * to endorse or promote products derived from this software without specific 16 | * prior written permission. 17 | * 18 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 19 | * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21 | * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 22 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | package org.owasp.csrfguard.action; 31 | 32 | import org.owasp.csrfguard.CsrfGuard; 33 | import org.owasp.csrfguard.CsrfGuardException; 34 | import org.owasp.csrfguard.session.LogicalSession; 35 | 36 | import javax.servlet.http.HttpServletRequest; 37 | import javax.servlet.http.HttpServletResponse; 38 | import java.util.Objects; 39 | 40 | public final class Invalidate extends AbstractAction { 41 | 42 | private static final long serialVersionUID = -3060679616261531773L; 43 | 44 | @Override 45 | public void execute(final HttpServletRequest request, final HttpServletResponse response, final CsrfGuardException csrfGuardException, final CsrfGuard csrfGuard) throws CsrfGuardException { 46 | 47 | final LogicalSession logicalSession = csrfGuard.getLogicalSessionExtractor().extract(request); 48 | 49 | if (Objects.nonNull(logicalSession)) { 50 | csrfGuard.getTokenService().invalidate(logicalSession); 51 | } 52 | } 53 | } 54 | -------------------------------------------------------------------------------- /csrfguard/src/main/java/org/owasp/csrfguard/action/Redirect.java: -------------------------------------------------------------------------------- 1 | /* 2 | * The OWASP CSRFGuard Project, BSD License 3 | * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com) 4 | * All rights reserved. 5 | * 6 | * Redistribution and use in source and binary forms, with or without 7 | * modification, are permitted provided that the following conditions are met: 8 | * 9 | * 1. Redistributions of source code must retain the above copyright notice, 10 | * this list of conditions and the following disclaimer. 11 | * 2. Redistributions in binary form must reproduce the above copyright 12 | * notice, this list of conditions and the following disclaimer in the 13 | * documentation and/or other materials provided with the distribution. 14 | * 3. Neither the name of OWASP nor the names of its contributors may be used 15 | * to endorse or promote products derived from this software without specific 16 | * prior written permission. 17 | * 18 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 19 | * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21 | * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 22 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | package org.owasp.csrfguard.action; 31 | 32 | import org.owasp.csrfguard.CsrfGuard; 33 | import org.owasp.csrfguard.CsrfGuardException; 34 | 35 | import javax.servlet.http.HttpServletRequest; 36 | import javax.servlet.http.HttpServletResponse; 37 | import java.io.IOException; 38 | 39 | public final class Redirect extends AbstractAction { 40 | 41 | private static final long serialVersionUID = -2265693822259717332L; 42 | 43 | @Override 44 | public void execute(final HttpServletRequest request, final HttpServletResponse response, final CsrfGuardException csrfGuardException, final CsrfGuard csrfGuard) throws CsrfGuardException { 45 | final String errorPage = getParameter("Page"); 46 | 47 | try { 48 | response.sendRedirect(errorPage); 49 | } catch (final IOException ioe) { 50 | throw new CsrfGuardException(ioe); 51 | } 52 | } 53 | } 54 | -------------------------------------------------------------------------------- /csrfguard/src/main/java/org/owasp/csrfguard/action/RequestAttribute.java: -------------------------------------------------------------------------------- 1 | /* 2 | * The OWASP CSRFGuard Project, BSD License 3 | * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com) 4 | * All rights reserved. 5 | * 6 | * Redistribution and use in source and binary forms, with or without 7 | * modification, are permitted provided that the following conditions are met: 8 | * 9 | * 1. Redistributions of source code must retain the above copyright notice, 10 | * this list of conditions and the following disclaimer. 11 | * 2. Redistributions in binary form must reproduce the above copyright 12 | * notice, this list of conditions and the following disclaimer in the 13 | * documentation and/or other materials provided with the distribution. 14 | * 3. Neither the name of OWASP nor the names of its contributors may be used 15 | * to endorse or promote products derived from this software without specific 16 | * prior written permission. 17 | * 18 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 19 | * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21 | * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 22 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | package org.owasp.csrfguard.action; 31 | 32 | import org.owasp.csrfguard.CsrfGuard; 33 | import org.owasp.csrfguard.CsrfGuardException; 34 | 35 | import javax.servlet.http.HttpServletRequest; 36 | import javax.servlet.http.HttpServletResponse; 37 | 38 | public final class RequestAttribute extends AbstractAction { 39 | 40 | private static final long serialVersionUID = 6714855990116387348L; 41 | 42 | @Override 43 | public void execute(final HttpServletRequest request, final HttpServletResponse response, final CsrfGuardException csrfGuardException, final CsrfGuard csrfGuard) throws CsrfGuardException { 44 | final String attributeName = getParameter("AttributeName"); 45 | 46 | request.setAttribute(attributeName, csrfGuardException); 47 | } 48 | } 49 | -------------------------------------------------------------------------------- /csrfguard/src/main/java/org/owasp/csrfguard/action/Rotate.java: -------------------------------------------------------------------------------- 1 | /* 2 | * The OWASP CSRFGuard Project, BSD License 3 | * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com) 4 | * All rights reserved. 5 | * 6 | * Redistribution and use in source and binary forms, with or without 7 | * modification, are permitted provided that the following conditions are met: 8 | * 9 | * 1. Redistributions of source code must retain the above copyright notice, 10 | * this list of conditions and the following disclaimer. 11 | * 2. Redistributions in binary form must reproduce the above copyright 12 | * notice, this list of conditions and the following disclaimer in the 13 | * documentation and/or other materials provided with the distribution. 14 | * 3. Neither the name of OWASP nor the names of its contributors may be used 15 | * to endorse or promote products derived from this software without specific 16 | * prior written permission. 17 | * 18 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 19 | * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21 | * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 22 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | package org.owasp.csrfguard.action; 31 | 32 | import org.owasp.csrfguard.CsrfGuard; 33 | import org.owasp.csrfguard.CsrfGuardException; 34 | import org.owasp.csrfguard.session.LogicalSession; 35 | import org.owasp.csrfguard.token.storage.LogicalSessionExtractor; 36 | 37 | import javax.servlet.http.HttpServletRequest; 38 | import javax.servlet.http.HttpServletResponse; 39 | import java.util.Objects; 40 | 41 | public class Rotate extends AbstractAction { 42 | 43 | private static final long serialVersionUID = -3164557586544451406L; 44 | 45 | @Override 46 | public void execute(final HttpServletRequest request, final HttpServletResponse response, final CsrfGuardException csrfGuardException, final CsrfGuard csrfGuard) throws CsrfGuardException { 47 | final LogicalSessionExtractor logicalSessionExtractor = csrfGuard.getLogicalSessionExtractor(); 48 | final LogicalSession logicalSession = logicalSessionExtractor.extract(request); 49 | 50 | if (Objects.nonNull(logicalSession)) { 51 | csrfGuard.getTokenService().rotateAllTokens(logicalSession.getKey()); 52 | } 53 | } 54 | } 55 | -------------------------------------------------------------------------------- /csrfguard/src/main/java/org/owasp/csrfguard/config/ConfigurationProviderFactory.java: -------------------------------------------------------------------------------- 1 | /* 2 | * The OWASP CSRFGuard Project, BSD License 3 | * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com) 4 | * All rights reserved. 5 | * 6 | * Redistribution and use in source and binary forms, with or without 7 | * modification, are permitted provided that the following conditions are met: 8 | * 9 | * 1. Redistributions of source code must retain the above copyright notice, 10 | * this list of conditions and the following disclaimer. 11 | * 2. Redistributions in binary form must reproduce the above copyright 12 | * notice, this list of conditions and the following disclaimer in the 13 | * documentation and/or other materials provided with the distribution. 14 | * 3. Neither the name of OWASP nor the names of its contributors may be used 15 | * to endorse or promote products derived from this software without specific 16 | * prior written permission. 17 | * 18 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 19 | * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21 | * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 22 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | /* 31 | * @author mchyzer 32 | * $Id$ 33 | */ 34 | package org.owasp.csrfguard.config; 35 | 36 | import java.util.Properties; 37 | 38 | /** 39 | * implement this interface to provide the configuration 40 | */ 41 | public interface ConfigurationProviderFactory { 42 | 43 | /** 44 | * Called when retrieving the configuration 45 | * 46 | * @param properties describing the configuration 47 | * @return the configuration 48 | */ 49 | ConfigurationProvider retrieveConfiguration(Properties properties); 50 | } 51 | -------------------------------------------------------------------------------- /csrfguard/src/main/java/org/owasp/csrfguard/config/NullConfigurationProviderFactory.java: -------------------------------------------------------------------------------- 1 | /* 2 | * The OWASP CSRFGuard Project, BSD License 3 | * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com) 4 | * All rights reserved. 5 | * 6 | * Redistribution and use in source and binary forms, with or without 7 | * modification, are permitted provided that the following conditions are met: 8 | * 9 | * 1. Redistributions of source code must retain the above copyright notice, 10 | * this list of conditions and the following disclaimer. 11 | * 2. Redistributions in binary form must reproduce the above copyright 12 | * notice, this list of conditions and the following disclaimer in the 13 | * documentation and/or other materials provided with the distribution. 14 | * 3. Neither the name of OWASP nor the names of its contributors may be used 15 | * to endorse or promote products derived from this software without specific 16 | * prior written permission. 17 | * 18 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 19 | * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21 | * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 22 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | package org.owasp.csrfguard.config; 31 | 32 | import java.util.Properties; 33 | 34 | /** 35 | * TODO document 36 | */ 37 | public class NullConfigurationProviderFactory implements ConfigurationProviderFactory { 38 | 39 | public NullConfigurationProviderFactory() {} 40 | 41 | /** 42 | * cache this it doesn't change 43 | */ 44 | private static ConfigurationProvider configurationProvider = null; 45 | 46 | @Override 47 | public ConfigurationProvider retrieveConfiguration(final Properties properties) { 48 | if (configurationProvider == null) { 49 | configurationProvider = new NullConfigurationProvider(); 50 | } 51 | return configurationProvider; 52 | } 53 | } 54 | -------------------------------------------------------------------------------- /csrfguard/src/main/java/org/owasp/csrfguard/config/PropertiesConfigurationProviderFactory.java: -------------------------------------------------------------------------------- 1 | /* 2 | * The OWASP CSRFGuard Project, BSD License 3 | * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com) 4 | * All rights reserved. 5 | * 6 | * Redistribution and use in source and binary forms, with or without 7 | * modification, are permitted provided that the following conditions are met: 8 | * 9 | * 1. Redistributions of source code must retain the above copyright notice, 10 | * this list of conditions and the following disclaimer. 11 | * 2. Redistributions in binary form must reproduce the above copyright 12 | * notice, this list of conditions and the following disclaimer in the 13 | * documentation and/or other materials provided with the distribution. 14 | * 3. Neither the name of OWASP nor the names of its contributors may be used 15 | * to endorse or promote products derived from this software without specific 16 | * prior written permission. 17 | * 18 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 19 | * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21 | * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 22 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | package org.owasp.csrfguard.config; 31 | 32 | import java.util.Properties; 33 | 34 | /** 35 | * TODO document 36 | */ 37 | public class PropertiesConfigurationProviderFactory implements ConfigurationProviderFactory { 38 | 39 | /** 40 | * TODO document 41 | */ 42 | public PropertiesConfigurationProviderFactory() {} 43 | 44 | /** 45 | * cache this since it doesn't change 46 | */ 47 | private static ConfigurationProvider configurationProvider = null; 48 | 49 | @Override 50 | public ConfigurationProvider retrieveConfiguration(final Properties properties) { 51 | if (configurationProvider == null) { 52 | try { 53 | configurationProvider = new PropertiesConfigurationProvider(properties); 54 | } catch (final Exception e) { 55 | throw new RuntimeException(e); 56 | } 57 | } 58 | return configurationProvider; 59 | } 60 | } 61 | -------------------------------------------------------------------------------- /csrfguard/src/main/java/org/owasp/csrfguard/config/overlay/ConfigPropertiesCascadeUtils.java: -------------------------------------------------------------------------------- 1 | /* 2 | * The OWASP CSRFGuard Project, BSD License 3 | * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com) 4 | * All rights reserved. 5 | * 6 | * Redistribution and use in source and binary forms, with or without 7 | * modification, are permitted provided that the following conditions are met: 8 | * 9 | * 1. Redistributions of source code must retain the above copyright notice, 10 | * this list of conditions and the following disclaimer. 11 | * 2. Redistributions in binary form must reproduce the above copyright 12 | * notice, this list of conditions and the following disclaimer in the 13 | * documentation and/or other materials provided with the distribution. 14 | * 3. Neither the name of OWASP nor the names of its contributors may be used 15 | * to endorse or promote products derived from this software without specific 16 | * prior written permission. 17 | * 18 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 19 | * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21 | * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 22 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | package org.owasp.csrfguard.config.overlay; 31 | 32 | import java.util.Map; 33 | 34 | /** 35 | * utility methods specific to grouper client 36 | */ 37 | public class ConfigPropertiesCascadeUtils extends ConfigPropertiesCascadeCommonUtils { 38 | 39 | /** 40 | * substitute an EL for objects. Don't worry if something returns null 41 | * @param stringToParse The string to parse 42 | * @param variableMap replacement mappings 43 | * @return the string The modified strings, with replacements 44 | */ 45 | public static String substituteExpressionLanguage(String stringToParse, Map variableMap) { 46 | return substituteExpressionLanguage(stringToParse, variableMap, true, true, true, false); 47 | } 48 | 49 | /** 50 | * substitute an EL for objects 51 | * @param stringToParse the String containing EL 52 | * @param variableMap replacement mappings 53 | * @param allowStaticClasses if true allow static classes not registered with context 54 | * @param silent if silent mode, swallow exceptions (warn), and dont warn when variable not found 55 | * @param lenient false if undefined variables should throw an exception. if lenient is true (default) 56 | * then undefined variables are null 57 | * @param logOnNull if null output of substitution should be logged 58 | * @return the string 59 | */ 60 | public static String substituteExpressionLanguage(String stringToParse, 61 | Map variableMap, boolean allowStaticClasses, boolean silent, boolean lenient, boolean logOnNull) { 62 | 63 | //we don't have jexl so don't do this logic 64 | return stringToParse; 65 | } 66 | } 67 | -------------------------------------------------------------------------------- /csrfguard/src/main/java/org/owasp/csrfguard/config/overlay/ConfigurationOverlayProviderFactory.java: -------------------------------------------------------------------------------- 1 | /* 2 | * The OWASP CSRFGuard Project, BSD License 3 | * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com) 4 | * All rights reserved. 5 | * 6 | * Redistribution and use in source and binary forms, with or without 7 | * modification, are permitted provided that the following conditions are met: 8 | * 9 | * 1. Redistributions of source code must retain the above copyright notice, 10 | * this list of conditions and the following disclaimer. 11 | * 2. Redistributions in binary form must reproduce the above copyright 12 | * notice, this list of conditions and the following disclaimer in the 13 | * documentation and/or other materials provided with the distribution. 14 | * 3. Neither the name of OWASP nor the names of its contributors may be used 15 | * to endorse or promote products derived from this software without specific 16 | * prior written permission. 17 | * 18 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 19 | * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21 | * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 22 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | /* 31 | * @author mchyzer 32 | * $Id$ 33 | */ 34 | package org.owasp.csrfguard.config.overlay; 35 | 36 | import org.owasp.csrfguard.config.ConfigurationProvider; 37 | import org.owasp.csrfguard.config.ConfigurationProviderFactory; 38 | import org.owasp.csrfguard.config.PropertiesConfigurationProvider; 39 | 40 | import java.util.Properties; 41 | 42 | /** 43 | * TODO document 44 | */ 45 | public class ConfigurationOverlayProviderFactory implements ConfigurationProviderFactory { 46 | 47 | /** 48 | * TODO document 49 | */ 50 | public ConfigurationOverlayProviderFactory() {} 51 | 52 | /** 53 | * @see org.owasp.csrfguard.config.ConfigurationProviderFactory#retrieveConfiguration(java.util.Properties) 54 | */ 55 | public ConfigurationProvider retrieveConfiguration(final Properties originalProperties) { 56 | final ConfigurationOverlayProvider configurationOverlayProvider = ConfigurationOverlayProvider.retrieveConfig(); 57 | final Properties properties = configurationOverlayProvider.properties(); 58 | 59 | return new PropertiesConfigurationProvider(properties); 60 | } 61 | } 62 | -------------------------------------------------------------------------------- /csrfguard/src/main/java/org/owasp/csrfguard/config/overlay/ExpirableValue.java: -------------------------------------------------------------------------------- 1 | /* 2 | * The OWASP CSRFGuard Project, BSD License 3 | * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com) 4 | * All rights reserved. 5 | * 6 | * Redistribution and use in source and binary forms, with or without 7 | * modification, are permitted provided that the following conditions are met: 8 | * 9 | * 1. Redistributions of source code must retain the above copyright notice, 10 | * this list of conditions and the following disclaimer. 11 | * 2. Redistributions in binary form must reproduce the above copyright 12 | * notice, this list of conditions and the following disclaimer in the 13 | * documentation and/or other materials provided with the distribution. 14 | * 3. Neither the name of OWASP nor the names of its contributors may be used 15 | * to endorse or promote products derived from this software without specific 16 | * prior written permission. 17 | * 18 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 19 | * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21 | * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 22 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | package org.owasp.csrfguard.config.overlay; 31 | 32 | import java.io.Serializable; 33 | 34 | 35 | /** 36 | * This holds the actual value of the map, and the time it was inserted, and 37 | * the time that it should last in the cache 38 | * @version $Id: ExpirableValue.java,v 1.1 2008-11-27 14:25:50 mchyzer Exp $ 39 | * @author mchyzer 40 | * @param is the type of the underlying content 41 | */ 42 | public class ExpirableValue implements Serializable { 43 | 44 | /** this is the time it was placed in the cache */ 45 | private long timePlacedInCache = System.currentTimeMillis(); 46 | 47 | /** the time to live is by default 1 day */ 48 | private long timeToLiveInCacheMillis = ExpirableCache.MAX_TIME_TO_LIVE_MILLIS; 49 | 50 | /** underlying content */ 51 | private T content = null; 52 | 53 | /** 54 | * Makes an expirable value with max 1 day time to live 55 | * @param theContent content to store 56 | * @param theTimeToLiveInCacheMillis number of millis the items should stay in cache. 57 | * this cannot be longer than 1 day 58 | */ 59 | ExpirableValue(T theContent, long theTimeToLiveInCacheMillis) { 60 | super(); 61 | // can't be longer then the max 62 | if (theTimeToLiveInCacheMillis > 0 && 63 | theTimeToLiveInCacheMillis <= ExpirableCache.MAX_TIME_TO_LIVE_MILLIS) { 64 | this.timeToLiveInCacheMillis = theTimeToLiveInCacheMillis; 65 | } 66 | this.content = theContent; 67 | } 68 | 69 | /** 70 | * don't call this on expired content! check first. get the content 71 | * @return Returns the content. 72 | */ 73 | T getContent() { 74 | if (this.expiredLongTime()) { 75 | throw new RuntimeException("This content is expired!"); 76 | } 77 | return this.content; 78 | } 79 | 80 | 81 | /** 82 | * see if the content is expired 83 | * @return true if expired 84 | */ 85 | boolean expired() { 86 | return System.currentTimeMillis() - this.timePlacedInCache > this.timeToLiveInCacheMillis; 87 | } 88 | 89 | /** 90 | * see if the content is expired 3 seconds ago, to eliminate race conditions 91 | * @return true if expired 92 | */ 93 | boolean expiredLongTime() { 94 | return (System.currentTimeMillis() - 3000) - this.timePlacedInCache > this.timeToLiveInCacheMillis; 95 | } 96 | } 97 | -------------------------------------------------------------------------------- /csrfguard/src/main/java/org/owasp/csrfguard/config/properties/HttpMethod.java: -------------------------------------------------------------------------------- 1 | /* 2 | * The OWASP CSRFGuard Project, BSD License 3 | * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com) 4 | * All rights reserved. 5 | * 6 | * Redistribution and use in source and binary forms, with or without 7 | * modification, are permitted provided that the following conditions are met: 8 | * 9 | * 1. Redistributions of source code must retain the above copyright notice, 10 | * this list of conditions and the following disclaimer. 11 | * 2. Redistributions in binary form must reproduce the above copyright 12 | * notice, this list of conditions and the following disclaimer in the 13 | * documentation and/or other materials provided with the distribution. 14 | * 3. Neither the name of OWASP nor the names of its contributors may be used 15 | * to endorse or promote products derived from this software without specific 16 | * prior written permission. 17 | * 18 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 19 | * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21 | * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 22 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | package org.owasp.csrfguard.config.properties; 30 | 31 | import java.util.Arrays; 32 | import java.util.Collection; 33 | 34 | public enum HttpMethod { 35 | 36 | GET, HEAD, POST, PUT, DELETE, TRACE, OPTIONS, CONNECT, PATCH; 37 | 38 | public static void validate(final Collection httpMethods) { 39 | httpMethods.forEach(HttpMethod::validate); 40 | } 41 | 42 | public static void validate(final String input) { 43 | Arrays.stream(values()) 44 | .filter(value -> input.equalsIgnoreCase(value.toString())) 45 | .findAny() 46 | .orElseThrow(() -> new IllegalArgumentException(String.format("The provided input '%s' is not a valid HTTP method!", input))); 47 | } 48 | } 49 | -------------------------------------------------------------------------------- /csrfguard/src/main/java/org/owasp/csrfguard/config/properties/SimpleBooleanConfigParameter.java: -------------------------------------------------------------------------------- 1 | /* 2 | * The OWASP CSRFGuard Project, BSD License 3 | * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com) 4 | * All rights reserved. 5 | * 6 | * Redistribution and use in source and binary forms, with or without 7 | * modification, are permitted provided that the following conditions are met: 8 | * 9 | * 1. Redistributions of source code must retain the above copyright notice, 10 | * this list of conditions and the following disclaimer. 11 | * 2. Redistributions in binary form must reproduce the above copyright 12 | * notice, this list of conditions and the following disclaimer in the 13 | * documentation and/or other materials provided with the distribution. 14 | * 3. Neither the name of OWASP nor the names of its contributors may be used 15 | * to endorse or promote products derived from this software without specific 16 | * prior written permission. 17 | * 18 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 19 | * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21 | * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 22 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | package org.owasp.csrfguard.config.properties; 31 | 32 | public class SimpleBooleanConfigParameter implements SimpleConfigParameter { 33 | 34 | private final String propertyName; 35 | private final boolean propertyValue; 36 | 37 | public SimpleBooleanConfigParameter(final String propertyName, final boolean propertyValue) { 38 | this.propertyName = propertyName; 39 | this.propertyValue = propertyValue; 40 | } 41 | 42 | @Override 43 | public String getName() { 44 | return this.propertyName; 45 | } 46 | 47 | @Override 48 | public Boolean getDefaultValue() { 49 | return this.propertyValue; 50 | } 51 | } 52 | -------------------------------------------------------------------------------- /csrfguard/src/main/java/org/owasp/csrfguard/config/properties/SimpleConfigParameter.java: -------------------------------------------------------------------------------- 1 | /* 2 | * The OWASP CSRFGuard Project, BSD License 3 | * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com) 4 | * All rights reserved. 5 | * 6 | * Redistribution and use in source and binary forms, with or without 7 | * modification, are permitted provided that the following conditions are met: 8 | * 9 | * 1. Redistributions of source code must retain the above copyright notice, 10 | * this list of conditions and the following disclaimer. 11 | * 2. Redistributions in binary form must reproduce the above copyright 12 | * notice, this list of conditions and the following disclaimer in the 13 | * documentation and/or other materials provided with the distribution. 14 | * 3. Neither the name of OWASP nor the names of its contributors may be used 15 | * to endorse or promote products derived from this software without specific 16 | * prior written permission. 17 | * 18 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 19 | * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21 | * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 22 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | package org.owasp.csrfguard.config.properties; 30 | 31 | /** 32 | * Interface describing a simple configuration parameter 33 | * @param The type of the configuration parameter 34 | */ 35 | public interface SimpleConfigParameter { 36 | 37 | /** 38 | * @return the name of the configuration parameter 39 | */ 40 | String getName(); 41 | 42 | /** 43 | * @return the default value associated to the configuration parameter 44 | */ 45 | T getDefaultValue(); 46 | } 47 | -------------------------------------------------------------------------------- /csrfguard/src/main/java/org/owasp/csrfguard/config/properties/SimpleDurationParameter.java: -------------------------------------------------------------------------------- 1 | /* 2 | * The OWASP CSRFGuard Project, BSD License 3 | * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com) 4 | * All rights reserved. 5 | * 6 | * Redistribution and use in source and binary forms, with or without 7 | * modification, are permitted provided that the following conditions are met: 8 | * 9 | * 1. Redistributions of source code must retain the above copyright notice, 10 | * this list of conditions and the following disclaimer. 11 | * 2. Redistributions in binary form must reproduce the above copyright 12 | * notice, this list of conditions and the following disclaimer in the 13 | * documentation and/or other materials provided with the distribution. 14 | * 3. Neither the name of OWASP nor the names of its contributors may be used 15 | * to endorse or promote products derived from this software without specific 16 | * prior written permission. 17 | * 18 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 19 | * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21 | * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 22 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | package org.owasp.csrfguard.config.properties; 30 | 31 | import java.time.Duration; 32 | 33 | public class SimpleDurationParameter implements SimpleConfigParameter { 34 | 35 | private final String name; 36 | private final Duration defaultDuration; 37 | 38 | public SimpleDurationParameter(final String name, final Duration defaultDuration) { 39 | this.name = name; 40 | this.defaultDuration = defaultDuration; 41 | } 42 | 43 | @Override 44 | public String getName() { 45 | return this.name; 46 | } 47 | 48 | @Override 49 | public Duration getDefaultValue() { 50 | return this.defaultDuration; 51 | } 52 | } 53 | -------------------------------------------------------------------------------- /csrfguard/src/main/java/org/owasp/csrfguard/config/properties/SimpleIntConfigParameter.java: -------------------------------------------------------------------------------- 1 | /* 2 | * The OWASP CSRFGuard Project, BSD License 3 | * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com) 4 | * All rights reserved. 5 | * 6 | * Redistribution and use in source and binary forms, with or without 7 | * modification, are permitted provided that the following conditions are met: 8 | * 9 | * 1. Redistributions of source code must retain the above copyright notice, 10 | * this list of conditions and the following disclaimer. 11 | * 2. Redistributions in binary form must reproduce the above copyright 12 | * notice, this list of conditions and the following disclaimer in the 13 | * documentation and/or other materials provided with the distribution. 14 | * 3. Neither the name of OWASP nor the names of its contributors may be used 15 | * to endorse or promote products derived from this software without specific 16 | * prior written permission. 17 | * 18 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 19 | * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21 | * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 22 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | package org.owasp.csrfguard.config.properties; 31 | 32 | public class SimpleIntConfigParameter implements SimpleConfigParameter { 33 | 34 | private final String propertyName; 35 | private final int propertyValue; 36 | 37 | public SimpleIntConfigParameter(final String propertyName, final int propertyValue) { 38 | this.propertyName = propertyName; 39 | this.propertyValue = propertyValue; 40 | } 41 | 42 | @Override 43 | public String getName() { 44 | return this.propertyName; 45 | } 46 | 47 | @Override 48 | public Integer getDefaultValue() { 49 | return this.propertyValue; 50 | } 51 | } 52 | -------------------------------------------------------------------------------- /csrfguard/src/main/java/org/owasp/csrfguard/config/properties/javascript/BooleanJsConfigParameter.java: -------------------------------------------------------------------------------- 1 | /* 2 | * The OWASP CSRFGuard Project, BSD License 3 | * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com) 4 | * All rights reserved. 5 | * 6 | * Redistribution and use in source and binary forms, with or without 7 | * modification, are permitted provided that the following conditions are met: 8 | * 9 | * 1. Redistributions of source code must retain the above copyright notice, 10 | * this list of conditions and the following disclaimer. 11 | * 2. Redistributions in binary form must reproduce the above copyright 12 | * notice, this list of conditions and the following disclaimer in the 13 | * documentation and/or other materials provided with the distribution. 14 | * 3. Neither the name of OWASP nor the names of its contributors may be used 15 | * to endorse or promote products derived from this software without specific 16 | * prior written permission. 17 | * 18 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 19 | * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21 | * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 22 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | package org.owasp.csrfguard.config.properties.javascript; 31 | 32 | import org.owasp.csrfguard.config.properties.PropertyUtils; 33 | 34 | import javax.servlet.ServletConfig; 35 | import java.util.Properties; 36 | 37 | public class BooleanJsConfigParameter extends JsConfigParameter { 38 | 39 | private final String propertyName; 40 | private final String propertyKey; 41 | private final boolean defaultValue; 42 | 43 | public BooleanJsConfigParameter(final String propertyName, final String propertyKey, final boolean defaultValue) { 44 | this.propertyName = propertyName; 45 | this.propertyKey = propertyKey; 46 | this.defaultValue = defaultValue; 47 | } 48 | 49 | @Override 50 | public Boolean getProperty(final ServletConfig servletConfig, final Properties propertyCache) { 51 | final String configParamValue = PropertyUtils.getProperty(propertyCache, this.propertyKey); 52 | return getInitParameter(servletConfig, this.propertyName, configParamValue, this.defaultValue); 53 | } 54 | } 55 | -------------------------------------------------------------------------------- /csrfguard/src/main/java/org/owasp/csrfguard/config/properties/javascript/JsConfigParameter.java: -------------------------------------------------------------------------------- 1 | /* 2 | * The OWASP CSRFGuard Project, BSD License 3 | * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com) 4 | * All rights reserved. 5 | * 6 | * Redistribution and use in source and binary forms, with or without 7 | * modification, are permitted provided that the following conditions are met: 8 | * 9 | * 1. Redistributions of source code must retain the above copyright notice, 10 | * this list of conditions and the following disclaimer. 11 | * 2. Redistributions in binary form must reproduce the above copyright 12 | * notice, this list of conditions and the following disclaimer in the 13 | * documentation and/or other materials provided with the distribution. 14 | * 3. Neither the name of OWASP nor the names of its contributors may be used 15 | * to endorse or promote products derived from this software without specific 16 | * prior written permission. 17 | * 18 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 19 | * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21 | * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 22 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | package org.owasp.csrfguard.config.properties.javascript; 30 | 31 | import org.apache.commons.lang3.StringUtils; 32 | 33 | import javax.servlet.ServletConfig; 34 | import java.util.Properties; 35 | import java.util.function.Function; 36 | 37 | public abstract class JsConfigParameter { 38 | 39 | public abstract T getProperty(final ServletConfig servletConfig, final Properties propertyCache); 40 | 41 | public static String getInitParameter(final ServletConfig servletConfig, final String name, final String configFileDefaultParamValue, final String defaultValue) { 42 | return getInitParameter(servletConfig, name, configFileDefaultParamValue, defaultValue, Function.identity()); 43 | } 44 | 45 | public static boolean getInitParameter(final ServletConfig servletConfig, final String name, final String configFileDefaultParamValue, final boolean defaultValue) { 46 | return getInitParameter(servletConfig, name, configFileDefaultParamValue, defaultValue, Boolean::parseBoolean); 47 | } 48 | 49 | public static T getInitParameter(final ServletConfig servletConfig, final String name, final String configFileDefaultParamValue, final T defaultValue, final Function function) { 50 | final T result; 51 | 52 | final String initParameter = servletConfig.getInitParameter(name); 53 | 54 | if (StringUtils.isNotBlank(initParameter)) { 55 | result = function.apply(initParameter); 56 | } else if (StringUtils.isNotBlank(configFileDefaultParamValue)) { 57 | result = function.apply(configFileDefaultParamValue); 58 | } else { 59 | result = defaultValue; 60 | } 61 | 62 | return result; 63 | } 64 | } 65 | -------------------------------------------------------------------------------- /csrfguard/src/main/java/org/owasp/csrfguard/config/properties/javascript/StringJsConfigParameter.java: -------------------------------------------------------------------------------- 1 | /* 2 | * The OWASP CSRFGuard Project, BSD License 3 | * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com) 4 | * All rights reserved. 5 | * 6 | * Redistribution and use in source and binary forms, with or without 7 | * modification, are permitted provided that the following conditions are met: 8 | * 9 | * 1. Redistributions of source code must retain the above copyright notice, 10 | * this list of conditions and the following disclaimer. 11 | * 2. Redistributions in binary form must reproduce the above copyright 12 | * notice, this list of conditions and the following disclaimer in the 13 | * documentation and/or other materials provided with the distribution. 14 | * 3. Neither the name of OWASP nor the names of its contributors may be used 15 | * to endorse or promote products derived from this software without specific 16 | * prior written permission. 17 | * 18 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 19 | * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21 | * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 22 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | package org.owasp.csrfguard.config.properties.javascript; 31 | 32 | import org.owasp.csrfguard.config.properties.PropertyUtils; 33 | 34 | import javax.servlet.ServletConfig; 35 | import java.util.Properties; 36 | 37 | public class StringJsConfigParameter extends JsConfigParameter { 38 | 39 | private final String propertyName; 40 | private final String propertyKey; 41 | private final String defaultValue; 42 | 43 | public StringJsConfigParameter(final String propertyName, final String propertyKey, final String defaultValue) { 44 | this.propertyName = propertyName; 45 | this.propertyKey = propertyKey; 46 | this.defaultValue = defaultValue; 47 | } 48 | 49 | @Override 50 | public String getProperty(final ServletConfig servletConfig, final Properties propertyCache) { 51 | final String configParamValue = PropertyUtils.getProperty(propertyCache, this.propertyKey); 52 | return getInitParameter(servletConfig, this.propertyName, configParamValue, this.defaultValue); 53 | } 54 | } 55 | -------------------------------------------------------------------------------- /csrfguard/src/main/java/org/owasp/csrfguard/exception/CSRFGuardTokenException.java: -------------------------------------------------------------------------------- 1 | /* 2 | * The OWASP CSRFGuard Project, BSD License 3 | * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com) 4 | * All rights reserved. 5 | * 6 | * Redistribution and use in source and binary forms, with or without 7 | * modification, are permitted provided that the following conditions are met: 8 | * 9 | * 1. Redistributions of source code must retain the above copyright notice, 10 | * this list of conditions and the following disclaimer. 11 | * 2. Redistributions in binary form must reproduce the above copyright 12 | * notice, this list of conditions and the following disclaimer in the 13 | * documentation and/or other materials provided with the distribution. 14 | * 3. Neither the name of OWASP nor the names of its contributors may be used 15 | * to endorse or promote products derived from this software without specific 16 | * prior written permission. 17 | * 18 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 19 | * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21 | * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 22 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | package org.owasp.csrfguard.exception; 31 | 32 | /** 33 | * CSRFGuardTokenException - Runtime Exception handling all token related errors. 34 | * 35 | * @author - srijas 36 | * @since - 11/7/2019. 37 | */ 38 | public class CSRFGuardTokenException extends RuntimeException { 39 | 40 | public CSRFGuardTokenException(final String message) { 41 | super(message); 42 | } 43 | 44 | public CSRFGuardTokenException(final String message, final Throwable cause) { 45 | super(message, cause); 46 | } 47 | 48 | public CSRFGuardTokenException(final Throwable cause) { 49 | super(cause); 50 | } 51 | } 52 | -------------------------------------------------------------------------------- /csrfguard/src/main/java/org/owasp/csrfguard/session/LogicalSession.java: -------------------------------------------------------------------------------- 1 | /* 2 | * The OWASP CSRFGuard Project, BSD License 3 | * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com) 4 | * All rights reserved. 5 | * 6 | * Redistribution and use in source and binary forms, with or without 7 | * modification, are permitted provided that the following conditions are met: 8 | * 9 | * 1. Redistributions of source code must retain the above copyright notice, 10 | * this list of conditions and the following disclaimer. 11 | * 2. Redistributions in binary form must reproduce the above copyright 12 | * notice, this list of conditions and the following disclaimer in the 13 | * documentation and/or other materials provided with the distribution. 14 | * 3. Neither the name of OWASP nor the names of its contributors may be used 15 | * to endorse or promote products derived from this software without specific 16 | * prior written permission. 17 | * 18 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 19 | * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21 | * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 22 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | package org.owasp.csrfguard.session; 30 | 31 | import javax.servlet.http.HttpSession; 32 | 33 | /** 34 | * Represents a logical session that enables decoupling from the container's session implementation in case the client application uses a stateless approach (e.g. token based authentication) 35 | */ 36 | public interface LogicalSession { 37 | 38 | /** 39 | * Returns the logical session key 40 | * @return identifier that uniquely identifies the current actor 41 | */ 42 | String getKey(); 43 | 44 | /** 45 | * Returns true if the client does not yet know about the 46 | * session or if the client chooses not to join the session. 47 | * 48 | * @see javax.servlet.http.HttpSession#isNew() 49 | * 50 | * @return true if the server has created a session, but the client has not yet joined 51 | */ 52 | boolean isNew(); 53 | 54 | /** 55 | * Invalidates this session then unbinds any objects bound to it. 56 | */ 57 | void invalidate(); 58 | 59 | /** 60 | * @return whether the objects were generated or not. 61 | */ 62 | boolean areTokensGenerated(); 63 | 64 | /** 65 | * Set whether the objects were generated or not. 66 | * 67 | * @param areTokensGenerated set true if the tokens were generated, false otherwise 68 | */ 69 | void setTokensGenerated(boolean areTokensGenerated); 70 | 71 | /** 72 | * Saves an object to the current session 73 | * 74 | * @see HttpSession#setAttribute(java.lang.String, java.lang.Object) 75 | * 76 | * @param attribute the name to which the object is bound; cannot be null 77 | * @param value the object to be bound 78 | */ 79 | void setAttribute(final String attribute, final Object value); 80 | 81 | /** 82 | * Retrieves an object from the session using its name 83 | * 84 | * @see HttpSession#getAttribute(String) 85 | * 86 | * @param attributeName - identifies a certain object on the session 87 | * @return the object associated to the attribute name 88 | */ 89 | Object getAttribute(String attributeName); 90 | } 91 | -------------------------------------------------------------------------------- /csrfguard/src/main/java/org/owasp/csrfguard/token/TokenUtils.java: -------------------------------------------------------------------------------- 1 | /* 2 | * The OWASP CSRFGuard Project, BSD License 3 | * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com) 4 | * All rights reserved. 5 | * 6 | * Redistribution and use in source and binary forms, with or without 7 | * modification, are permitted provided that the following conditions are met: 8 | * 9 | * 1. Redistributions of source code must retain the above copyright notice, 10 | * this list of conditions and the following disclaimer. 11 | * 2. Redistributions in binary form must reproduce the above copyright 12 | * notice, this list of conditions and the following disclaimer in the 13 | * documentation and/or other materials provided with the distribution. 14 | * 3. Neither the name of OWASP nor the names of its contributors may be used 15 | * to endorse or promote products derived from this software without specific 16 | * prior written permission. 17 | * 18 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 19 | * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21 | * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 22 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | package org.owasp.csrfguard.token; 31 | 32 | import org.owasp.csrfguard.CsrfGuard; 33 | import org.owasp.csrfguard.exception.CSRFGuardTokenException; 34 | import org.owasp.csrfguard.util.MessageConstants; 35 | import org.owasp.csrfguard.util.RandomGenerator; 36 | 37 | public final class TokenUtils { 38 | 39 | private TokenUtils() {} 40 | 41 | /** 42 | * Create a random token based on the configuration. 43 | * 44 | * @return a random token 45 | */ 46 | public static String generateRandomToken() { 47 | try { 48 | final CsrfGuard csrfGuard = CsrfGuard.getInstance(); 49 | return RandomGenerator.generateRandomId(csrfGuard.getPrng(), csrfGuard.getTokenLength()); 50 | } catch (final Exception e) { 51 | final String errorLiteral = MessageConstants.RANDOM_TOKEN_FAILURE_MSG + " - " + "%s"; 52 | throw new CSRFGuardTokenException(String.format(errorLiteral, e.getLocalizedMessage()), e); 53 | } 54 | } 55 | } 56 | -------------------------------------------------------------------------------- /csrfguard/src/main/java/org/owasp/csrfguard/token/mapper/TokenMapper.java: -------------------------------------------------------------------------------- 1 | /* 2 | * The OWASP CSRFGuard Project, BSD License 3 | * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com) 4 | * All rights reserved. 5 | * 6 | * Redistribution and use in source and binary forms, with or without 7 | * modification, are permitted provided that the following conditions are met: 8 | * 9 | * 1. Redistributions of source code must retain the above copyright notice, 10 | * this list of conditions and the following disclaimer. 11 | * 2. Redistributions in binary form must reproduce the above copyright 12 | * notice, this list of conditions and the following disclaimer in the 13 | * documentation and/or other materials provided with the distribution. 14 | * 3. Neither the name of OWASP nor the names of its contributors may be used 15 | * to endorse or promote products derived from this software without specific 16 | * prior written permission. 17 | * 18 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 19 | * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21 | * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 22 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | package org.owasp.csrfguard.token.mapper; 30 | 31 | import org.owasp.csrfguard.token.businessobject.TokenBO; 32 | import org.owasp.csrfguard.token.transferobject.TokenTO; 33 | 34 | public final class TokenMapper { 35 | 36 | private TokenMapper() {} 37 | 38 | public static TokenTO toTransferObject(final TokenBO tokenBO) { 39 | return new TokenTO(tokenBO.getUpdatedMasterToken(), tokenBO.getUpdatedPageTokens()); 40 | } 41 | } 42 | -------------------------------------------------------------------------------- /csrfguard/src/main/java/org/owasp/csrfguard/token/storage/LogicalSessionExtractor.java: -------------------------------------------------------------------------------- 1 | /* 2 | * The OWASP CSRFGuard Project, BSD License 3 | * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com) 4 | * All rights reserved. 5 | * 6 | * Redistribution and use in source and binary forms, with or without 7 | * modification, are permitted provided that the following conditions are met: 8 | * 9 | * 1. Redistributions of source code must retain the above copyright notice, 10 | * this list of conditions and the following disclaimer. 11 | * 2. Redistributions in binary form must reproduce the above copyright 12 | * notice, this list of conditions and the following disclaimer in the 13 | * documentation and/or other materials provided with the distribution. 14 | * 3. Neither the name of OWASP nor the names of its contributors may be used 15 | * to endorse or promote products derived from this software without specific 16 | * prior written permission. 17 | * 18 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 19 | * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21 | * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 22 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | package org.owasp.csrfguard.token.storage; 30 | 31 | import org.owasp.csrfguard.session.LogicalSession; 32 | 33 | import javax.servlet.http.HttpServletRequest; 34 | 35 | public interface LogicalSessionExtractor { 36 | 37 | /** 38 | * Returns a logical session implementation based on the information extracted from the current HTTP request or null if that was not possible 39 | * 40 | * @param httpServletRequest current request 41 | * 42 | * @return a logical session created based on the current request or null if that was not possible 43 | */ 44 | LogicalSession extract(final HttpServletRequest httpServletRequest); 45 | 46 | /** 47 | * Returns a logical session implementation based on the information extracted from the current HTTP request or creates a new one 48 | * 49 | * @param httpServletRequest current request 50 | * @return logical session implementation based on the information extracted from the current HTTP request or creates a new one 51 | */ 52 | LogicalSession extractOrCreate(HttpServletRequest httpServletRequest); 53 | } 54 | -------------------------------------------------------------------------------- /csrfguard/src/main/java/org/owasp/csrfguard/token/storage/impl/PageTokenValue.java: -------------------------------------------------------------------------------- 1 | /* 2 | * The OWASP CSRFGuard Project, BSD License 3 | * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com) 4 | * All rights reserved. 5 | * 6 | * Redistribution and use in source and binary forms, with or without 7 | * modification, are permitted provided that the following conditions are met: 8 | * 9 | * 1. Redistributions of source code must retain the above copyright notice, 10 | * this list of conditions and the following disclaimer. 11 | * 2. Redistributions in binary form must reproduce the above copyright 12 | * notice, this list of conditions and the following disclaimer in the 13 | * documentation and/or other materials provided with the distribution. 14 | * 3. Neither the name of OWASP nor the names of its contributors may be used 15 | * to endorse or promote products derived from this software without specific 16 | * prior written permission. 17 | * 18 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 19 | * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21 | * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 22 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | package org.owasp.csrfguard.token.storage.impl; 30 | 31 | import java.time.LocalDateTime; 32 | 33 | public final class PageTokenValue { 34 | 35 | private final String pageTokenValue; 36 | private final LocalDateTime localDateTime; 37 | 38 | private PageTokenValue(final String pageTokenValue) { 39 | this(pageTokenValue, LocalDateTime.now()); 40 | } 41 | 42 | private PageTokenValue(final String pageTokenValue, final LocalDateTime localDateTime) { 43 | this.pageTokenValue = pageTokenValue; 44 | this.localDateTime = localDateTime; 45 | } 46 | 47 | public static PageTokenValue from(final String pageTokenValue) { 48 | return new PageTokenValue(pageTokenValue); 49 | } 50 | 51 | public static PageTokenValue from(final String pageTokenValue, final LocalDateTime localDateTime) { 52 | return new PageTokenValue(pageTokenValue, localDateTime); 53 | } 54 | 55 | public String getValue() { 56 | return this.pageTokenValue; 57 | } 58 | 59 | public LocalDateTime getCreationTime() { 60 | return this.localDateTime; 61 | } 62 | } 63 | -------------------------------------------------------------------------------- /csrfguard/src/main/java/org/owasp/csrfguard/token/transferobject/TokenTO.java: -------------------------------------------------------------------------------- 1 | /* 2 | * The OWASP CSRFGuard Project, BSD License 3 | * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com) 4 | * All rights reserved. 5 | * 6 | * Redistribution and use in source and binary forms, with or without 7 | * modification, are permitted provided that the following conditions are met: 8 | * 9 | * 1. Redistributions of source code must retain the above copyright notice, 10 | * this list of conditions and the following disclaimer. 11 | * 2. Redistributions in binary form must reproduce the above copyright 12 | * notice, this list of conditions and the following disclaimer in the 13 | * documentation and/or other materials provided with the distribution. 14 | * 3. Neither the name of OWASP nor the names of its contributors may be used 15 | * to endorse or promote products derived from this software without specific 16 | * prior written permission. 17 | * 18 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 19 | * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21 | * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 22 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | package org.owasp.csrfguard.token.transferobject; 30 | 31 | import com.google.gson.Gson; 32 | import org.apache.commons.lang3.StringUtils; 33 | 34 | import java.util.Collections; 35 | import java.util.Map; 36 | 37 | public class TokenTO { 38 | 39 | private final String masterToken; 40 | 41 | private final Map pageTokens; 42 | 43 | public TokenTO(final String masterToken) { 44 | this(masterToken, Collections.emptyMap()); 45 | } 46 | 47 | public TokenTO(final Map pageTokens) { 48 | this(null, pageTokens); 49 | } 50 | 51 | public TokenTO(final String masterToken, final Map pageTokens) { 52 | this.masterToken = masterToken; 53 | this.pageTokens = pageTokens; 54 | } 55 | 56 | public boolean isEmpty() { 57 | return StringUtils.isBlank(this.masterToken) && this.pageTokens.isEmpty(); 58 | } 59 | 60 | @Override 61 | public String toString() { 62 | return new Gson().toJson(this); 63 | } 64 | } 65 | -------------------------------------------------------------------------------- /csrfguard/src/main/java/org/owasp/csrfguard/util/BrowserEncoder.java: -------------------------------------------------------------------------------- 1 | /* 2 | * The OWASP CSRFGuard Project, BSD License 3 | * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com) 4 | * All rights reserved. 5 | * 6 | * Redistribution and use in source and binary forms, with or without 7 | * modification, are permitted provided that the following conditions are met: 8 | * 9 | * 1. Redistributions of source code must retain the above copyright notice, 10 | * this list of conditions and the following disclaimer. 11 | * 2. Redistributions in binary form must reproduce the above copyright 12 | * notice, this list of conditions and the following disclaimer in the 13 | * documentation and/or other materials provided with the distribution. 14 | * 3. Neither the name of OWASP nor the names of its contributors may be used 15 | * to endorse or promote products derived from this software without specific 16 | * prior written permission. 17 | * 18 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 19 | * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21 | * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 22 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | package org.owasp.csrfguard.util; 31 | 32 | public final class BrowserEncoder { 33 | 34 | private BrowserEncoder() { 35 | /* enforce use of static methods */ 36 | } 37 | 38 | @Override 39 | public Object clone() throws CloneNotSupportedException { 40 | throw new CloneNotSupportedException(); 41 | } 42 | 43 | public static String encodeForHtml(final String s) { 44 | final StringBuilder stringBuilder = new StringBuilder(); 45 | final int length = (s == null ? -1 : s.length()); 46 | 47 | for (int i = 0; i < length; i++) { 48 | final char c = s.charAt(i); 49 | 50 | switch (c) { 51 | case '&': 52 | stringBuilder.append("&"); 53 | break; 54 | case '<': 55 | stringBuilder.append("<"); 56 | break; 57 | case '>': 58 | stringBuilder.append(">"); 59 | break; 60 | case '"': 61 | stringBuilder.append("""); 62 | break; 63 | case '\'': 64 | stringBuilder.append("'"); 65 | break; 66 | case '/': 67 | stringBuilder.append("/"); 68 | break; 69 | default: 70 | stringBuilder.append(c); 71 | break; 72 | } 73 | } 74 | 75 | return stringBuilder.toString(); 76 | } 77 | 78 | public static String encodeForAttribute(final String s) { 79 | final StringBuilder sb = new StringBuilder(); 80 | final int len = (s == null ? -1 : s.length()); 81 | 82 | for (int i = 0; i < len; i++) { 83 | final char c = s.charAt(i); 84 | 85 | if (c < 256 && !Character.isLetterOrDigit((int) c)) { 86 | sb.append("&#"); 87 | sb.append((int) c); 88 | sb.append(';'); 89 | } else { 90 | sb.append(c); 91 | } 92 | } 93 | 94 | return sb.toString(); 95 | } 96 | } 97 | -------------------------------------------------------------------------------- /csrfguard/src/main/java/org/owasp/csrfguard/util/ConvertUtil.java: -------------------------------------------------------------------------------- 1 | /* 2 | * The OWASP CSRFGuard Project, BSD License 3 | * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com) 4 | * All rights reserved. 5 | * 6 | * Redistribution and use in source and binary forms, with or without 7 | * modification, are permitted provided that the following conditions are met: 8 | * 9 | * 1. Redistributions of source code must retain the above copyright notice, 10 | * this list of conditions and the following disclaimer. 11 | * 2. Redistributions in binary form must reproduce the above copyright 12 | * notice, this list of conditions and the following disclaimer in the 13 | * documentation and/or other materials provided with the distribution. 14 | * 3. Neither the name of OWASP nor the names of its contributors may be used 15 | * to endorse or promote products derived from this software without specific 16 | * prior written permission. 17 | * 18 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 19 | * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21 | * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 22 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | package org.owasp.csrfguard.util; 31 | 32 | import java.nio.charset.StandardCharsets; 33 | 34 | /** 35 | * @author Jerome Blanchard 36 | */ 37 | public class ConvertUtil { 38 | 39 | private static final byte[] HEX_ARRAY = "0123456789ABCDEF".getBytes(StandardCharsets.US_ASCII); 40 | 41 | public static String bytesToHex(byte[] bytes) { 42 | byte[] hexChars = new byte[bytes.length * 2]; 43 | for (int j = 0; j < bytes.length; j++) { 44 | int v = bytes[j] & 0xFF; 45 | hexChars[j * 2] = HEX_ARRAY[v >>> 4]; 46 | hexChars[j * 2 + 1] = HEX_ARRAY[v & 0x0F]; 47 | } 48 | return new String(hexChars, StandardCharsets.UTF_8); 49 | } 50 | } 51 | -------------------------------------------------------------------------------- /csrfguard/src/main/java/org/owasp/csrfguard/util/MessageConstants.java: -------------------------------------------------------------------------------- 1 | /* 2 | * The OWASP CSRFGuard Project, BSD License 3 | * Eric Sheridan (eric@infraredsecurity.com), Copyright (c) 2011 4 | * All rights reserved. 5 | * 6 | * Redistribution and use in source and binary forms, with or without 7 | * modification, are permitted provided that the following conditions are met: 8 | * 9 | * 1. Redistributions of source code must retain the above copyright notice, 10 | * this list of conditions and the following disclaimer. 11 | * 2. Redistributions in binary form must reproduce the above copyright 12 | * notice, this list of conditions and the following disclaimer in the 13 | * documentation and/or other materials provided with the distribution. 14 | * 3. Neither the name of OWASP nor the names of its contributors may be used 15 | * to endorse or promote products derived from this software without specific 16 | * prior written permission. 17 | * 18 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 19 | * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21 | * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 22 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | package org.owasp.csrfguard.util; 30 | 31 | /** 32 | * MessageConstants - Maintains all the message constant literals. 33 | */ 34 | public final class MessageConstants { 35 | 36 | private MessageConstants() { 37 | // Utility Class 38 | } 39 | 40 | public static final String REQUEST_MISSING_TOKEN_MSG = "Required Token is missing from the Request"; 41 | public static final String MISMATCH_PAGE_TOKEN_MSG = "Request Token does not match Page Token"; 42 | public static final String MISMATCH_MASTER_TOKEN_MSG = "Request Token does not match the Master Token"; 43 | public static final String RANDOM_TOKEN_FAILURE_MSG = "Unable to generate the Random Token"; 44 | public static final String TOKEN_MISSING_FROM_STORAGE_MSG = "The token should exist in the storage at this point"; 45 | } 46 | -------------------------------------------------------------------------------- /csrfguard/src/main/java/org/owasp/csrfguard/util/RandomGenerator.java: -------------------------------------------------------------------------------- 1 | /* 2 | * The OWASP CSRFGuard Project, BSD License 3 | * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com) 4 | * All rights reserved. 5 | * 6 | * Redistribution and use in source and binary forms, with or without 7 | * modification, are permitted provided that the following conditions are met: 8 | * 9 | * 1. Redistributions of source code must retain the above copyright notice, 10 | * this list of conditions and the following disclaimer. 11 | * 2. Redistributions in binary form must reproduce the above copyright 12 | * notice, this list of conditions and the following disclaimer in the 13 | * documentation and/or other materials provided with the distribution. 14 | * 3. Neither the name of OWASP nor the names of its contributors may be used 15 | * to endorse or promote products derived from this software without specific 16 | * prior written permission. 17 | * 18 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 19 | * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21 | * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 22 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | package org.owasp.csrfguard.util; 31 | 32 | import java.security.NoSuchAlgorithmException; 33 | import java.security.NoSuchProviderException; 34 | import java.security.SecureRandom; 35 | 36 | public final class RandomGenerator { 37 | 38 | private static final char[] CHARSET = new char[] { 'A', 'B', 'C', 'D', 'E', 39 | 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 40 | 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z', '0', '1', '2', '3', '4', 41 | '5', '6', '7', '8', '9' }; 42 | 43 | private RandomGenerator() { 44 | /* Intentionally blank to force static usage */ 45 | } 46 | 47 | @Override 48 | public Object clone() throws CloneNotSupportedException { 49 | throw new CloneNotSupportedException(); 50 | } 51 | 52 | public static String generateRandomId(final String prng, final String provider, final int len) throws NoSuchAlgorithmException, NoSuchProviderException { 53 | return generateRandomId(SecureRandom.getInstance(prng, provider), len); 54 | } 55 | 56 | public static String generateRandomId(final SecureRandom secureRandom, final int len) { 57 | final StringBuilder sb = new StringBuilder(); 58 | 59 | for (int i = 1; i < len + 1; i++) { 60 | final int index = secureRandom.nextInt(CHARSET.length); 61 | final char c = CHARSET[index]; 62 | sb.append(c); 63 | 64 | if ((i % 4) == 0 && i < len) { 65 | sb.append('-'); 66 | } 67 | } 68 | 69 | return sb.toString(); 70 | } 71 | } 72 | -------------------------------------------------------------------------------- /csrfguard/src/main/java/org/owasp/csrfguard/util/RegexValidationUtil.java: -------------------------------------------------------------------------------- 1 | /* 2 | * The OWASP CSRFGuard Project, BSD License 3 | * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com) 4 | * All rights reserved. 5 | * 6 | * Redistribution and use in source and binary forms, with or without 7 | * modification, are permitted provided that the following conditions are met: 8 | * 9 | * 1. Redistributions of source code must retain the above copyright notice, 10 | * this list of conditions and the following disclaimer. 11 | * 2. Redistributions in binary form must reproduce the above copyright 12 | * notice, this list of conditions and the following disclaimer in the 13 | * documentation and/or other materials provided with the distribution. 14 | * 3. Neither the name of OWASP nor the names of its contributors may be used 15 | * to endorse or promote products derived from this software without specific 16 | * prior written permission. 17 | * 18 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 19 | * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21 | * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 22 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | package org.owasp.csrfguard.util; 31 | 32 | /** 33 | * RegexValidationUtil - All functions related to regex operations. 34 | * 35 | * @author - srijas 36 | * @since - 11/7/2019. 37 | */ 38 | public final class RegexValidationUtil { 39 | 40 | private RegexValidationUtil() { 41 | // Utility Class 42 | } 43 | 44 | /** 45 | * see if a test path starts with ^ and ends with $ thus making it a regex 46 | * @param testPath The path string to test 47 | * @return true if regex (starts with "^" and ends with "$") 48 | */ 49 | public static boolean isTestPathRegex(final String testPath) { 50 | return testPath != null && testPath.startsWith("^") && testPath.endsWith("$"); 51 | } 52 | } 53 | -------------------------------------------------------------------------------- /csrfguard/src/main/resources/.babelrc: -------------------------------------------------------------------------------- 1 | { 2 | "presets": [ 3 | [ 4 | "@babel/preset-env", 5 | { 6 | "targets": { 7 | "esmodules": false, 8 | "browsers": ["> 0.25%", "not dead"] 9 | } 10 | } 11 | ] 12 | ], 13 | "plugins": ["transform-remove-console"] 14 | } 15 | -------------------------------------------------------------------------------- /csrfguard/src/main/resources/.gitignore: -------------------------------------------------------------------------------- 1 | node_modules/** -------------------------------------------------------------------------------- /csrfguard/src/main/resources/license.txt: -------------------------------------------------------------------------------- 1 | The OWASP CSRFGuard Project, BSD License 2 | Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com) 3 | All rights reserved. 4 | 5 | Redistribution and use in source and binary forms, with or without 6 | modification, are permitted provided that the following conditions are met: 7 | 8 | 1. Redistributions of source code must retain the above copyright notice, 9 | this list of conditions and the following disclaimer. 10 | 2. Redistributions in binary form must reproduce the above copyright 11 | notice, this list of conditions and the following disclaimer in the 12 | documentation and/or other materials provided with the distribution. 13 | 3. Neither the name of OWASP nor the names of its contributors may be used 14 | to endorse or promote products derived from this software without specific 15 | prior written permission. 16 | 17 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 18 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20 | ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 21 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 22 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 23 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 24 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 25 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 26 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -------------------------------------------------------------------------------- /csrfguard/src/main/resources/package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "csrfguard-js", 3 | "version": "1.0.0", 4 | "description": "JS minification and transpilation", 5 | "main": "./csrfguard.js", 6 | "scripts": { 7 | }, 8 | "private": true, 9 | "author": "forgedhallpass", 10 | "license": "MIT", 11 | "devDependencies": { 12 | "@babel/core": "^7.25.7", 13 | "@babel/preset-env": "^7.25.7", 14 | "babel-loader": "^9.2.1", 15 | "babel-plugin-transform-remove-console": "^6.9.4", 16 | "terser-webpack-plugin": "^5.3.10", 17 | "webpack": "^5.95.0", 18 | "webpack-cli": "^5.1.4" 19 | } 20 | } 21 | -------------------------------------------------------------------------------- /csrfguard/src/main/resources/webpack.config.js: -------------------------------------------------------------------------------- 1 | const TerserPlugin = require('terser-webpack-plugin'); 2 | 3 | module.exports = { 4 | entry: './csrfguard.js', 5 | output: { 6 | filename: 'csrfguard.min.js', 7 | path: __dirname 8 | }, 9 | module: { 10 | rules: [ 11 | { 12 | test: /\.js$/, 13 | exclude: /node_modules/, 14 | use: { 15 | loader: 'babel-loader' 16 | } 17 | } 18 | ] 19 | }, 20 | optimization: { 21 | minimize: true, 22 | minimizer: [ 23 | new TerserPlugin({ 24 | terserOptions: { 25 | compress: { 26 | drop_console: true // Remove console.* statements 27 | } 28 | } 29 | }) 30 | ] 31 | }, 32 | mode: 'production' // Enables built-in optimizations like minification 33 | }; 34 | -------------------------------------------------------------------------------- /csrfguard/src/test/java/org/owasp/csrfguard/MandatoryProperties.java: -------------------------------------------------------------------------------- 1 | /* 2 | * The OWASP CSRFGuard Project, BSD License 3 | * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com) 4 | * All rights reserved. 5 | * 6 | * Redistribution and use in source and binary forms, with or without 7 | * modification, are permitted provided that the following conditions are met: 8 | * 9 | * 1. Redistributions of source code must retain the above copyright notice, 10 | * this list of conditions and the following disclaimer. 11 | * 2. Redistributions in binary form must reproduce the above copyright 12 | * notice, this list of conditions and the following disclaimer in the 13 | * documentation and/or other materials provided with the distribution. 14 | * 3. Neither the name of OWASP nor the names of its contributors may be used 15 | * to endorse or promote products derived from this software without specific 16 | * prior written permission. 17 | * 18 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 19 | * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21 | * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 22 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | package org.owasp.csrfguard; 30 | 31 | import org.owasp.csrfguard.config.dummy.DummyAction; 32 | import org.owasp.csrfguard.config.dummy.DummyLogicalSessionExtractor; 33 | import org.owasp.csrfguard.config.properties.ConfigParameters; 34 | 35 | import java.util.Map; 36 | import java.util.Properties; 37 | 38 | public class MandatoryProperties { 39 | 40 | public final Properties properties = new Properties(); 41 | 42 | public MandatoryProperties() { 43 | this.properties.setProperty(ConfigParameters.LOGICAL_SESSION_EXTRACTOR_NAME, DummyLogicalSessionExtractor.class.getName()); 44 | this.properties.setProperty(ConfigParameters.ACTION_PREFIX + DummyAction.class.getSimpleName(), DummyAction.class.getName()); 45 | } 46 | 47 | public MandatoryProperties add(final String key, final String value) { 48 | this.properties.put(key, value); 49 | return this; 50 | } 51 | 52 | public MandatoryProperties add(final Map additionalProperties) { 53 | this.properties.putAll(additionalProperties); 54 | return this; 55 | } 56 | 57 | public Properties get() { 58 | return this.properties; 59 | } 60 | } 61 | -------------------------------------------------------------------------------- /csrfguard/src/test/java/org/owasp/csrfguard/config/dummy/DummyAction.java: -------------------------------------------------------------------------------- 1 | /* 2 | * The OWASP CSRFGuard Project, BSD License 3 | * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com) 4 | * All rights reserved. 5 | * 6 | * Redistribution and use in source and binary forms, with or without 7 | * modification, are permitted provided that the following conditions are met: 8 | * 9 | * 1. Redistributions of source code must retain the above copyright notice, 10 | * this list of conditions and the following disclaimer. 11 | * 2. Redistributions in binary form must reproduce the above copyright 12 | * notice, this list of conditions and the following disclaimer in the 13 | * documentation and/or other materials provided with the distribution. 14 | * 3. Neither the name of OWASP nor the names of its contributors may be used 15 | * to endorse or promote products derived from this software without specific 16 | * prior written permission. 17 | * 18 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 19 | * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21 | * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 22 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | package org.owasp.csrfguard.config.dummy; 30 | 31 | import org.owasp.csrfguard.CsrfGuard; 32 | import org.owasp.csrfguard.CsrfGuardException; 33 | import org.owasp.csrfguard.action.IAction; 34 | 35 | import javax.servlet.http.HttpServletRequest; 36 | import javax.servlet.http.HttpServletResponse; 37 | import java.util.Collections; 38 | import java.util.Map; 39 | 40 | public class DummyAction implements IAction { 41 | 42 | @Override 43 | public void setName(final String name) {} 44 | 45 | @Override 46 | public String getName() { 47 | return null; 48 | } 49 | 50 | @Override 51 | public void setParameter(final String name, final String value) {} 52 | 53 | @Override 54 | public String getParameter(final String name) { 55 | return null; 56 | } 57 | 58 | @Override 59 | public Map getParameterMap() { 60 | return Collections.emptyMap(); 61 | } 62 | 63 | @Override 64 | public void execute(final HttpServletRequest request, final HttpServletResponse response, final CsrfGuardException csrfGuardException, final CsrfGuard csrfGuard) {} 65 | } 66 | -------------------------------------------------------------------------------- /csrfguard/src/test/java/org/owasp/csrfguard/config/dummy/DummyLogicalSessionExtractor.java: -------------------------------------------------------------------------------- 1 | /* 2 | * The OWASP CSRFGuard Project, BSD License 3 | * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com) 4 | * All rights reserved. 5 | * 6 | * Redistribution and use in source and binary forms, with or without 7 | * modification, are permitted provided that the following conditions are met: 8 | * 9 | * 1. Redistributions of source code must retain the above copyright notice, 10 | * this list of conditions and the following disclaimer. 11 | * 2. Redistributions in binary form must reproduce the above copyright 12 | * notice, this list of conditions and the following disclaimer in the 13 | * documentation and/or other materials provided with the distribution. 14 | * 3. Neither the name of OWASP nor the names of its contributors may be used 15 | * to endorse or promote products derived from this software without specific 16 | * prior written permission. 17 | * 18 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 19 | * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21 | * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 22 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | package org.owasp.csrfguard.config.dummy; 30 | 31 | import org.owasp.csrfguard.session.LogicalSession; 32 | import org.owasp.csrfguard.token.storage.LogicalSessionExtractor; 33 | 34 | import javax.servlet.http.HttpServletRequest; 35 | 36 | public class DummyLogicalSessionExtractor implements LogicalSessionExtractor { 37 | 38 | @Override 39 | public LogicalSession extract(final HttpServletRequest httpServletRequest) { 40 | return null; 41 | } 42 | 43 | @Override 44 | public LogicalSession extractOrCreate(final HttpServletRequest httpServletRequest) { 45 | return null; 46 | } 47 | } 48 | -------------------------------------------------------------------------------- /csrfguard/src/test/java/org/owasp/csrfguard/token/transferobject/TokenTOTest.java: -------------------------------------------------------------------------------- 1 | /* 2 | * The OWASP CSRFGuard Project, BSD License 3 | * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com) 4 | * All rights reserved. 5 | * 6 | * Redistribution and use in source and binary forms, with or without 7 | * modification, are permitted provided that the following conditions are met: 8 | * 9 | * 1. Redistributions of source code must retain the above copyright notice, 10 | * this list of conditions and the following disclaimer. 11 | * 2. Redistributions in binary form must reproduce the above copyright 12 | * notice, this list of conditions and the following disclaimer in the 13 | * documentation and/or other materials provided with the distribution. 14 | * 3. Neither the name of OWASP nor the names of its contributors may be used 15 | * to endorse or promote products derived from this software without specific 16 | * prior written permission. 17 | * 18 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 19 | * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21 | * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 22 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | package org.owasp.csrfguard.token.transferobject; 31 | 32 | import org.junit.jupiter.api.Test; 33 | 34 | import java.util.HashMap; 35 | 36 | import static org.junit.jupiter.api.Assertions.assertEquals; 37 | 38 | class TokenTOTest { 39 | 40 | @Test 41 | void testMasterTokenToJson() { 42 | final TokenTO tokenTO = new TokenTO("AAAA-BBBB-CCCC-DDDD"); 43 | 44 | assertEquals(tokenTO.toString(), "{\"masterToken\":\"AAAA-BBBB-CCCC-DDDD\",\"pageTokens\":{}}"); 45 | } 46 | 47 | @Test 48 | void testEmptyTokenToJson() { 49 | final TokenTO tokenTO = new TokenTO(null, null); 50 | assertEquals(tokenTO.toString(), "{}"); 51 | } 52 | 53 | @Test 54 | void testPageTokensToJson() { 55 | final HashMap pageTokens = new HashMap<>(); 56 | 57 | pageTokens.put("/start", "start-Page-Token-Value"); 58 | pageTokens.put("/index.html", "index-Page-Token-Value"); 59 | 60 | final TokenTO tokenTO = new TokenTO(pageTokens); 61 | assertEquals(tokenTO.toString(), "{\"pageTokens\":{\"/index.html\":\"index-Page-Token-Value\",\"/start\":\"start-Page-Token-Value\"}}"); 62 | } 63 | 64 | @Test 65 | void testMasterTokenPageTokensToJson() { 66 | final HashMap pageTokens = new HashMap<>(); 67 | 68 | pageTokens.put("/start", "start-Page-Token-Value"); 69 | pageTokens.put("/index.html", "index-Page-Token-Value"); 70 | 71 | final TokenTO tokenTO = new TokenTO("AAAA-BBBB-CCCC-DDDD", pageTokens); 72 | final String expectedResult = "{\"masterToken\":\"AAAA-BBBB-CCCC-DDDD\"," + 73 | "\"pageTokens\":{\"/index.html\":\"index-Page-Token-Value\"," + 74 | "\"/start\":\"start-Page-Token-Value\"}}"; 75 | assertEquals(tokenTO.toString(), expectedResult); 76 | } 77 | } -------------------------------------------------------------------------------- /csrfguard/src/test/java/org/owasp/csrfguard/util/RandomGeneratorTest.java: -------------------------------------------------------------------------------- 1 | /* 2 | * The OWASP CSRFGuard Project, BSD License 3 | * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com) 4 | * All rights reserved. 5 | * 6 | * Redistribution and use in source and binary forms, with or without 7 | * modification, are permitted provided that the following conditions are met: 8 | * 9 | * 1. Redistributions of source code must retain the above copyright notice, 10 | * this list of conditions and the following disclaimer. 11 | * 2. Redistributions in binary form must reproduce the above copyright 12 | * notice, this list of conditions and the following disclaimer in the 13 | * documentation and/or other materials provided with the distribution. 14 | * 3. Neither the name of OWASP nor the names of its contributors may be used 15 | * to endorse or promote products derived from this software without specific 16 | * prior written permission. 17 | * 18 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 19 | * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21 | * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 22 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | package org.owasp.csrfguard.util; 31 | 32 | import org.junit.jupiter.api.Assertions; 33 | import org.junit.jupiter.api.BeforeEach; 34 | import org.junit.jupiter.api.Test; 35 | import org.owasp.csrfguard.MandatoryProperties; 36 | import org.owasp.csrfguard.config.PropertiesConfigurationProvider; 37 | 38 | import java.security.SecureRandom; 39 | import java.util.Properties; 40 | 41 | import static org.junit.jupiter.api.Assertions.assertEquals; 42 | 43 | class RandomGeneratorTest { 44 | 45 | private SecureRandom secureRandom; 46 | 47 | @BeforeEach 48 | void setUp() { 49 | final Properties properties = new MandatoryProperties().get(); 50 | 51 | final PropertiesConfigurationProvider configurationProvider = new PropertiesConfigurationProvider(properties); 52 | 53 | this.secureRandom = configurationProvider.getPrng(); 54 | } 55 | 56 | @Test 57 | void testCustomTokenLength() { 58 | final String randomToken = RandomGenerator.generateRandomId(this.secureRandom, 5); 59 | 60 | Assertions.assertEquals(randomToken.charAt(4), '-'); 61 | assertEquals(randomToken.length(), 6); 62 | } 63 | } -------------------------------------------------------------------------------- /leaders.md: -------------------------------------------------------------------------------- 1 | ### Leaders 2 | * [Azzeddine RAMRAMI](mailto:azzeddine.ramrami@owasp.org) 3 | * [Istvan Albert-Toth](mailto:istvan.alberttoth@owasp.org) 4 | * [Sébastien Gioria](mailto:sebastien.gioria@owasp.org) 5 | -------------------------------------------------------------------------------- /tab_features.md: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | title: Features 4 | layout: null 5 | order: 1 6 | tab: true 7 | tags: csrfguard 8 | 9 | --- 10 | # OWASP CSRFGuard 4.0.0 11 | 12 | ![OWASP CSRFGuard 4.0.0](assets/images/csrfguard.png) 13 | 14 | ## What are CSRF (Cross-Site Request Forgery) Attacks? 15 | 16 | ![How Does CSRF Work](assets/images/what_is_csrf_attacks_1.png) 17 | ![How Does CSRF Work](assets/images/what_is_csrf_attacks_2.png) 18 | ![How Does CSRF Work](assets/images/what_is_csrf_attacks_3.png) 19 | ![How Does CSRF Work](assets/images/what_is_csrf_attacks_4.png) 20 | ![How Does CSRF Work](assets/images/what_is_csrf_attacks_5.png) 21 | ![How Does CSRF Work](assets/images/what_is_csrf_attacks_6.png) 22 | ![How Does CSRF Work](assets/images/what_is_csrf_attacks_7.png) 23 | 24 | -------------------------------------------------------------------------------- /tab_screenshots.md: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | title: Screenshots 4 | layout: null 5 | order: 1 6 | tab: true 7 | tags: csrfguard 8 | 9 | --- 10 | 11 | # CSRFGuard In Action 12 | 13 | ![CSRFGuard in action](assets/images/csrfguard_in_action.png) 14 | -------------------------------------------------------------------------------- /tab_supporters.md: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | title: Supporters 4 | displaytext: Our Supporters 5 | layout: null 6 | tab: true 7 | order: 4 8 | tags: csrfguard 9 | 10 | --- 11 | 12 | ## Supporters 13 | 14 | CSRFGuard is developed by a worldwide of volunteers in Morocco, France, India, China, Singapore, Indonesia, Canada and more. 15 | 16 | ## Special Thanks 17 | 18 | Thanks to Trent Schmidt and Joel Orlina (JIRA) for there help. 19 | --------------------------------------------------------------------------------