strits2 csrf portect

http://web.securityinnovation.com/appsec-weekly/blog/bid/84318/Cross-Site-Request-Forgery-CSRF-Prevention-Using-Struts-2

Secure Development Tips

a blog with tips relating to secure application development, from Security Innovation's eknowledge database, TeamMentor

Current Articles |  RSS Feed

Cross-Site Request Forgery (CSRF) Prevention Using Struts 2

Posted by Serge Truth on Tue, May 08, 2012 @ 10:20 AM

Tweet  

inShare  

Applies to

• Java
• Struts 2

Summary

Perform CSRF prevention using Struts 2 within an application.

Objectives

CSRF prevention is a key security control for an application that protects the application and its users from CSRF attacks. This article will describe how to use the built-in mechanisms provided by Struts 2 to perform CSRF prevention.

Code Example

There is a standard model for CSRF prevention using Struts 2 that involves 3 basic steps

1. Update your interceptor stack to include the tokenSessionInterceptor, either including or excluding all methods (all are included here).

<interceptor-stack name="myStack">
    <interceptor-ref name="defaultStack" />
    <interceptor-ref name="tokenSession">
 <param name="includeMethods">*</param>
    </interceptor-ref>
</interceptor-stack>

<default-interceptor-ref name="myStack" />

2. Update your action configuration to include or exclude any methods that need or do not need CSRF protection.

<action ...>
    ...
    <interceptor-ref name="tokenSession">
 <param name="excludeMethods">searchBooks,getBook</param>
    </interceptor-ref>
</action>

3. Use s:token in your JSP form that requests the action.

<s:form action="...">
    ...
    <s:token />
    ...
</s:form>

Using these 3 simple steps you can effectively have a session specific per user token used to validate that a request was submitted by a user intentionally.

Note: There have been effective attacks against various CSRF prevention techniques including this token-based approach when an application has XSS vulnerabilities. Removing XSS is therefore viewed as a prerequisite activity for a complete CSRF prevention mechanism.

In conclusion, CSRF prevention can function as a strong security control if used properly and applied thoroughly throughout the application. The Struts 2 framework provides a simple series of steps for accomplishing this task.

More Information

• For more information about Token Interceptor, please see http://struts.apache.org/2.0.14/docs/token-interceptor.html
• For more information about Cross-Site Request Forgery Prevention in Struts 2, please see http://struts.apache.org/2.0.14/docs/token-interceptor.html

Tags: Secure Development Tip, Serge Truth, TeamMentor Tip

Comments

Currently, there are no comments. Be the first to post one!