I want to implement Cross-site request forgery prevention for my web application which is base on struts 1.x framework. I know that struts 2 framework provide token interceptor for this and I can implement similar functionality using filters.
I am bit confuse about few thinks 1 ) how I can generate unique token with straightforward way ? (can I use Action class token for this purpose which is use for avoiding duplicate form submission)
Are there any issue in using struts 1.x framework token mechanism for CSRF Prevention
To prevent CSRF attacks, use anti-forgery tokens with any authentication protocol where the browser silently sends credentials after the user logs in. This includes cookie-based authentication protocols, such as forms authentication, as well as protocols such as Basic and Digest authentication.
CSRF tokens can prevent CSRF attacks by making it impossible for an attacker to construct a fully valid HTTP request suitable for feeding to a victim user.
A CSRF token is a secure random token (e.g., synchronizer token or challenge token) that is used to prevent CSRF attacks. The token needs to be unique per user session and should be of large random value to make it difficult to guess. A CSRF secure application assigns a unique CSRF token for every user session.
CSRF tokens prevent CSRF because without token, attacker cannot create a valid requests to the backend server. CSRF tokens should not be transmitted using cookies. The CSRF token can be added through hidden fields, headers, and can be used with forms, and AJAX calls.
The Struts 1 Action token methods work like the Struts 2 token interceptor in that it will add a token to your session and check it on form submission, but it is a much more manual process. The basic workflow is:
saveToken(request)
before forwarding onto the JSP that contains the form.<html:form>
tag.isTokenValid(request, true)
, and you should redirect back to the first Action with an error message if it returns false
. This also resets the token for the next request.Doing this will not only prevent duplicate form submissions but any script will have to hit the first Struts Action and get a session before it can submit to the second Struts Action to submit the form. Since a site can't set a session for another site, this should prevent CSRF.
If you usually send users directly to your JSP, don't. Instead, create a new class inheriting from ActionForward
and set this as it's execute()
method:
public ActionForward execute(ActionMapping mapping, ActionForm form, HttpServletRequest request, HttpServletResponse response) throws Exception {
saveToken(request);
return super.execute(mapping, form, request, response);
}
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With