I have application that have CSRF protection provided by apache modules. My application containt a few pages that allow to upload some files, looks like this:
<form:form method="post" action="my.controller" enctype="multipart/form-data" id="form">
All stuff worked fine by the time we have updated our apache version from httpd-2.2.3
to httpd-2.2.15
.
I've googled some time, and found that issue can be related to multipart/form-data parameter in the my form. In this case the form send as not secured. Also I've found that spring can handle stuff as above via MultipartFilter
from spring doc http://docs.spring.io/spring-security/site/docs/3.2.0.CI-SNAPSHOT/reference/html/csrf.html#csrf-multipartfilter
I am new in CSRF stuff. Will be good to know whehter it is possible to use spring CSRF protection with apache configuration to handle such cases.
Also I've found workaround where I can disable CSRF for needed URLs, like
RewriteRule /url/mycontroller.controller - [E=CSRF_IGNORE:yes]
But I am not sure wherer it will be correct one.
To prevent CSRF attacks, use anti-forgery tokens with any authentication protocol where the browser silently sends credentials after the user logs in. This includes cookie-based authentication protocols, such as forms authentication, as well as protocols such as Basic and Digest authentication.
Preventing CSRF attacks The most robust way to defend against CSRF attacks is to include a CSRF token within relevant requests. The token should be: Unpredictable with high entropy, as for session tokens in general. Tied to the user's session.
CSRF tokens can prevent CSRF attacks by making it impossible for an attacker to construct a fully valid HTTP request suitable for feeding to a victim user.
By using custom rules through a WAF, users are able to help prevent certain CSRF attacks.
Following are the suggestions I have:
Please remove the enctype if not required since multipart/form-data is not supported in some of the CSRF libraries including CSRF Guard.
If you are setting the CSRF token using hidden attribute, please try appending the token in the action attribute. Here is this link : https://code.google.com/p/csrf-filter/
If you still face the same issue, you may have to exclude the URL from CSRF check.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With