I'm trying out the WSO2 Identity Server.
I downloaded the version 5.4.0, and started the server on my Windows machine with wso2server.bat --run
.
If I try to login to the console with the default credentials (admin / admin), I get an error 403 - Forbidden, and the console shows this message:
WARN {org.owasp.csrfguard.log.JavaLogger} - potential cross-site request forgery (CSRF) attack thwarted (user:<anonymous>, ip:0:0:0:0:0:0:0:1, method:POST, uri:/carbon/admin/login_action.jsp, error:required token is missing from the request)
Is there something else I need to configure before I can try out the console?
A key design principle that protects you from CSRF attacks is using GET requests for only view or read-only actions. These types of requests should not transform data and must only display recorded data. This limits the number of requests that are vulnerable to CSRF attacks.
What is CSRF? Cross-site Request Forgery (CSRF) vulnerabilities occur when a web server receives a malicious request from a trusted browser. An attacker can create a malicious link that lets them, for example, transfer money from a user's online bank account to another account.
Social engineering platforms are often used by attackers to launch a CSRF attack. This tricks the victim into clicking a URL that contains a maliciously crafted, unauthorized request for a particular Web application. The user's browser then sends this maliciously crafted request to a targeted Web application.
It can result in damaged client relationships, unauthorized fund transfers, changed passwords and data theft—including stolen session cookies. CSRFs are typically conducted using malicious social engineering, such as an email or link that tricks the victim into sending a forged request to a server.
This is a known issue with JDK 8u151. You can use JDK 8u144.
Ref: https://docs.wso2.com/display/AM210/Installation+Prerequisites
Simple fix ... go to directory "wso2ei-6.2.0\conf\security" and open the "Owasp.CsrfGuard.Carbon.properties" file with any text editor (line number 49)
# If csrfguard filter is enabled
org.owasp.csrfguard.Enabled = true
change it to false
# If csrfguard filter is enabled
org.owasp.csrfguard.Enabled = false
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With