CSRF Issue in Reverse AJAX

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

CSRF Issue in Reverse AJAX

Mohammad Faisal
Hi,

I am getting 403 error while using reverse ajax.

Request headers are:

POST /chatbox/dwr/call/plainpoll/ReverseAjax.dwr HTTP/1.1
Host: 192.168.1.162:8080
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Content-Type: text/plain; charset=UTF-8
Referer: http://192.168.1.162:8080/chatbox/mainpage
Content-Length: 173
Cookie: JSESSIONID=qpRJAN080BO84zrtczb8r5SuhO8ErZhInLTnn53Q.net001d162; DWRSESSIONID=zbdh1EvrZeBwCaSn8h31j4RkEHIJ~KnGp0l; __utma=56549995.1435700150.1453201187.1453201187.1453201187.1; __utmc=56549995; __utmz=56549995.1453201187.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)
Connection: keep-alive

and response returned is as below as seen in network:

<html><head><title>Error</title></head><body>Expected CSRF token not found. Has your session expired?</body></html>

The URL /mainpage is secured using spring security and after successful login it shows me javascript alert: Forbidden.

While in my spring-security.xml by disabling csrf it works properly. But I am looking for not disabling the csrf.

Thanks and regards
Mohammad Faisal 
Reply | Threaded
Open this post in threaded view
|

Re: CSRF Issue in Reverse AJAX

david@butterdev.com
To be clear, you are attempting to use Spring's built-in CSRF protection?   If that's the case how do you expect the token generated in Spring to get into an AJAX request made by DWR? 

DWR has it's own CSRF protection, which I recommend you use.  It generates a token and automatically passes it in DWR requests.

On 01/19/2016 05:49 AM, Mohammad Faisal wrote:
Hi,

I am getting 403 error while using reverse ajax.

Request headers are:

POST /chatbox/dwr/call/plainpoll/ReverseAjax.dwr HTTP/1.1
Host: 192.168.1.162:8080
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Content-Type: text/plain; charset=UTF-8
Referer: http://192.168.1.162:8080/chatbox/mainpage
Content-Length: 173
Cookie: JSESSIONID=qpRJAN080BO84zrtczb8r5SuhO8ErZhInLTnn53Q.net001d162; DWRSESSIONID=zbdh1EvrZeBwCaSn8h31j4RkEHIJ~KnGp0l; __utma=56549995.1435700150.1453201187.1453201187.1453201187.1; __utmc=56549995; __utmz=56549995.1453201187.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)
Connection: keep-alive

and response returned is as below as seen in network:

<html><head><title>Error</title></head><body>Expected CSRF token not found. Has your session expired?</body></html>

The URL /mainpage is secured using spring security and after successful login it shows me javascript alert: Forbidden.

While in my spring-security.xml by disabling csrf it works properly. But I am looking for not disabling the csrf.

Thanks and regards
Mohammad Faisal 

Reply | Threaded
Open this post in threaded view
|

Re: CSRF Issue in Reverse AJAX

Mohammad Faisal
It doesn't seems the issue with Spring's CSRF. The problem is quite
similar as Amit Sharma asked previously
https://java.net/projects/dwr/lists/users/archive/2015-03/message/0 .

Request Headers:

POST /chatbox/dwr/call/plaincall/__System.generateId.dwr HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:43.0) Gecko/20100101 Firefox/43.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Content-Type: text/plain; charset=UTF-8
Referer: http://localhost:8080/chatbox/mainpage
Content-Length: 135
Cookie: JSESSIONID=ZVuxf33w5qzoYKuY2xZKHMcu.undefined
Connection: keep-alive

And response

HTTP Status 403 - Invalid CSRF Token 'null' was found on the request
parameter '_csrf' or header 'X-CSRF-TOKEN'.

type: Status report

message: Invalid CSRF Token 'null' was found on the request parameter
'_csrf' or header 'X-CSRF-TOKEN'.

description: Access to the specified resource (Invalid CSRF Token
'null' was found on the request parameter '_csrf' or header
'X-CSRF-TOKEN'.) has been forbidden.

On 1/19/16, David Marginian <[hidden email]> wrote:

> To be clear, you are attempting to use Spring's built-in CSRF
> protection?   If that's the case how do you expect the token generated
> in Spring to get into an AJAX request made by DWR?
>
> DWR has it's own CSRF protection, which I recommend you use.  It
> generates a token and automatically passes it in DWR requests.
>
> On 01/19/2016 05:49 AM, Mohammad Faisal wrote:
>> Hi,
>>
>> I am getting 403 error while using reverse ajax.
>>
>> Request headers are:
>>
>>     *POST* /chatbox/dwr/call/plainpoll/ReverseAjax.dwr HTTP/1.1
>>     *Host:* 192.168.1.162:8080 <http://192.168.1.162:8080>
>>     *User-Agent:* Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0)
>>     Gecko/20100101 Firefox/43.0
>>     *Accept:*
>>     text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
>>     *Accept-Language:* en-US,en;q=0.5
>>     *Accept-Encoding: *gzip, deflate
>>     *DNT: *1
>>     *Content-Type: *text/plain; charset=UTF-8
>>     *Referer: *http://192.168.1.162:8080/chatbox/mainpage
>>     *Content-Length: *173
>>     *Cookie:
>>     *JSESSIONID=qpRJAN080BO84zrtczb8r5SuhO8ErZhInLTnn53Q.net001d162;
>>     DWRSESSIONID=zbdh1EvrZeBwCaSn8h31j4RkEHIJ~KnGp0l;
>>     __utma=56549995.1435700150.1453201187.1453201187.1453201187.1;
>>     __utmc=56549995;
>>
>> __utmz=56549995.1453201187.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)
>>     *Connection: *keep-alive
>>
>>
>> and response returned is as below as seen in network:
>>
>>     |<html><head><title>Error</title></head><body>Expected CSRF token
>>     not found. Has your session expired||?</body></html>|
>>
>>
>> The URL /mainpage is secured using spring security and after
>> successful login it shows me javascript alert: Forbidden.
>>
>> While in my spring-security.xml by disabling csrf it works properly.
>> But I am looking for not disabling the csrf.
>>
>> Thanks and regards
>> Mohammad Faisal
>
>
Reply | Threaded
Open this post in threaded view
|

Re: CSRF Issue in Reverse AJAX

david@butterdev.com
The error message:

Invalid CSRF Token 'null' was found on the request
parameter '_csrf' or header 'X-CSRF-TOKEN'

is absolutely an error from Spring.  You need to disable the csrf
support in Spring.  DWR automatically protects you from CSRF attacks.

On 01/26/2016 02:30 AM, Mohammad Faisal wrote:

> It doesn't seems the issue with Spring's CSRF. The problem is quite
> similar as Amit Sharma asked previously
> https://java.net/projects/dwr/lists/users/archive/2015-03/message/0 .
>
> Request Headers:
>
> POST /chatbox/dwr/call/plaincall/__System.generateId.dwr HTTP/1.1
> Host: localhost:8080
> User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:43.0) Gecko/20100101 Firefox/43.0
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Language: en-US,en;q=0.5
> Accept-Encoding: gzip, deflate
> DNT: 1
> Content-Type: text/plain; charset=UTF-8
> Referer: http://localhost:8080/chatbox/mainpage
> Content-Length: 135
> Cookie: JSESSIONID=ZVuxf33w5qzoYKuY2xZKHMcu.undefined
> Connection: keep-alive
>
> And response
>
> HTTP Status 403 - Invalid CSRF Token 'null' was found on the request
> parameter '_csrf' or header 'X-CSRF-TOKEN'.
>
> type: Status report
>
> message: Invalid CSRF Token 'null' was found on the request parameter
> '_csrf' or header 'X-CSRF-TOKEN'.
>
> description: Access to the specified resource (Invalid CSRF Token
> 'null' was found on the request parameter '_csrf' or header
> 'X-CSRF-TOKEN'.) has been forbidden.
>
> On 1/19/16, David Marginian <[hidden email]> wrote:
>> To be clear, you are attempting to use Spring's built-in CSRF
>> protection?   If that's the case how do you expect the token generated
>> in Spring to get into an AJAX request made by DWR?
>>
>> DWR has it's own CSRF protection, which I recommend you use.  It
>> generates a token and automatically passes it in DWR requests.
>>
>> On 01/19/2016 05:49 AM, Mohammad Faisal wrote:
>>> Hi,
>>>
>>> I am getting 403 error while using reverse ajax.
>>>
>>> Request headers are:
>>>
>>>      *POST* /chatbox/dwr/call/plainpoll/ReverseAjax.dwr HTTP/1.1
>>>      *Host:* 192.168.1.162:8080 <http://192.168.1.162:8080>
>>>      *User-Agent:* Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0)
>>>      Gecko/20100101 Firefox/43.0
>>>      *Accept:*
>>>      text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
>>>      *Accept-Language:* en-US,en;q=0.5
>>>      *Accept-Encoding: *gzip, deflate
>>>      *DNT: *1
>>>      *Content-Type: *text/plain; charset=UTF-8
>>>      *Referer: *http://192.168.1.162:8080/chatbox/mainpage
>>>      *Content-Length: *173
>>>      *Cookie:
>>>      *JSESSIONID=qpRJAN080BO84zrtczb8r5SuhO8ErZhInLTnn53Q.net001d162;
>>>      DWRSESSIONID=zbdh1EvrZeBwCaSn8h31j4RkEHIJ~KnGp0l;
>>>      __utma=56549995.1435700150.1453201187.1453201187.1453201187.1;
>>>      __utmc=56549995;
>>>
>>> __utmz=56549995.1453201187.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)
>>>      *Connection: *keep-alive
>>>
>>>
>>> and response returned is as below as seen in network:
>>>
>>>      |<html><head><title>Error</title></head><body>Expected CSRF token
>>>      not found. Has your session expired||?</body></html>|
>>>
>>>
>>> The URL /mainpage is secured using spring security and after
>>> successful login it shows me javascript alert: Forbidden.
>>>
>>> While in my spring-security.xml by disabling csrf it works properly.
>>> But I am looking for not disabling the csrf.
>>>
>>> Thanks and regards
>>> Mohammad Faisal
>>

Reply | Threaded
Open this post in threaded view
|

Re: CSRF Issue in Reverse AJAX

david@butterdev.com
In reply to this post by Mohammad Faisal
I suggest reading the Spring Security docs on the topic:
https://docs.spring.io/spring-security/site/docs/current/reference/html/csrf.html

On 01/26/2016 02:30 AM, Mohammad Faisal wrote:

> It doesn't seems the issue with Spring's CSRF. The problem is quite
> similar as Amit Sharma asked previously
> https://java.net/projects/dwr/lists/users/archive/2015-03/message/0 .
>
> Request Headers:
>
> POST /chatbox/dwr/call/plaincall/__System.generateId.dwr HTTP/1.1
> Host: localhost:8080
> User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:43.0) Gecko/20100101 Firefox/43.0
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Language: en-US,en;q=0.5
> Accept-Encoding: gzip, deflate
> DNT: 1
> Content-Type: text/plain; charset=UTF-8
> Referer: http://localhost:8080/chatbox/mainpage
> Content-Length: 135
> Cookie: JSESSIONID=ZVuxf33w5qzoYKuY2xZKHMcu.undefined
> Connection: keep-alive
>
> And response
>
> HTTP Status 403 - Invalid CSRF Token 'null' was found on the request
> parameter '_csrf' or header 'X-CSRF-TOKEN'.
>
> type: Status report
>
> message: Invalid CSRF Token 'null' was found on the request parameter
> '_csrf' or header 'X-CSRF-TOKEN'.
>
> description: Access to the specified resource (Invalid CSRF Token
> 'null' was found on the request parameter '_csrf' or header
> 'X-CSRF-TOKEN'.) has been forbidden.
>
> On 1/19/16, David Marginian <[hidden email]> wrote:
>> To be clear, you are attempting to use Spring's built-in CSRF
>> protection?   If that's the case how do you expect the token generated
>> in Spring to get into an AJAX request made by DWR?
>>
>> DWR has it's own CSRF protection, which I recommend you use.  It
>> generates a token and automatically passes it in DWR requests.
>>
>> On 01/19/2016 05:49 AM, Mohammad Faisal wrote:
>>> Hi,
>>>
>>> I am getting 403 error while using reverse ajax.
>>>
>>> Request headers are:
>>>
>>>      *POST* /chatbox/dwr/call/plainpoll/ReverseAjax.dwr HTTP/1.1
>>>      *Host:* 192.168.1.162:8080 <http://192.168.1.162:8080>
>>>      *User-Agent:* Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0)
>>>      Gecko/20100101 Firefox/43.0
>>>      *Accept:*
>>>      text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
>>>      *Accept-Language:* en-US,en;q=0.5
>>>      *Accept-Encoding: *gzip, deflate
>>>      *DNT: *1
>>>      *Content-Type: *text/plain; charset=UTF-8
>>>      *Referer: *http://192.168.1.162:8080/chatbox/mainpage
>>>      *Content-Length: *173
>>>      *Cookie:
>>>      *JSESSIONID=qpRJAN080BO84zrtczb8r5SuhO8ErZhInLTnn53Q.net001d162;
>>>      DWRSESSIONID=zbdh1EvrZeBwCaSn8h31j4RkEHIJ~KnGp0l;
>>>      __utma=56549995.1435700150.1453201187.1453201187.1453201187.1;
>>>      __utmc=56549995;
>>>
>>> __utmz=56549995.1453201187.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)
>>>      *Connection: *keep-alive
>>>
>>>
>>> and response returned is as below as seen in network:
>>>
>>>      |<html><head><title>Error</title></head><body>Expected CSRF token
>>>      not found. Has your session expired||?</body></html>|
>>>
>>>
>>> The URL /mainpage is secured using spring security and after
>>> successful login it shows me javascript alert: Forbidden.
>>>
>>> While in my spring-security.xml by disabling csrf it works properly.
>>> But I am looking for not disabling the csrf.
>>>
>>> Thanks and regards
>>> Mohammad Faisal
>>