Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

NullPointerException with Owasp.CsrfGuard.Test

Why do I get:

java.lang.NullPointerException org.owasp.csrfguard.CsrfGuardFilter.doFilter(CsrfGuardFilter.java:53)

when trying to run the 0wasp.CsrfGuard.Test example app on Tomcat 5.5?

I'm using the example app exactly as it came in the download but with the following changes to get around listener errors:

  • I downloaded the CsrfGuard 3.0.0 package and copied the Owasp.CsrfGuard.jar to WEB-INF/lib to get around the listeners not being found.

  • I changed the web.xml file to use the listener that comes with the Owasp.CsrfGuard.jar rather than the two listeners in the original web.xml, which don't exist.

When I start the app there are no errors but when I point my browser to the /Owasp.CsrfGuard.Test/index.html page, I get the above error.

Any ideas to try?

Update...

Several hours later and I got it working without error. I don't understand why but the filter errors seem to stick around even after stopping and restarting a webapp (in Tomcat at least). I had to rename that webapp's directory, wait 10 seconds for Tomcat to auto-undeploy it, rename it back to its original directory name, and wait 10 seconds for Tomcat to recognize it as a new webapp. I also removed the "x-requested-with" init-param from the web.xml file since I don't use AJAX. Don't know if that really needed to come out but it works so I'm leaving it out.

Now, the "protect.html" file is indeed protected but it is protected too well. I can't get to it at all. If I try to go directly to the protect.html page, it should not allow that, which it doesn't. However, it should allow me to get there through the proper webpage flow with all the pages getting the proper token(s).

The question now is how can I get to the protect.html page?

Thanks.

like image 749
user2084967 Avatar asked Jul 02 '26 01:07

user2084967


1 Answers

Got it! In case someone else has problems, here is what I figured out to get JavaScript DOM Manipulation working.

All of the references in the .properties file MUST BE absolute with reference to the web container (Tomcat in my case). Even if you place the .js and .jar files in a specific webapp and modify that webapp's web.xml file with the proper settings for CSRFGuard (with relative references by the way), the entries in the .properties file must include references to the webapp name. For example, it must be something like:

org.owasp.csrfguard.unprotected.Index=/someapp/index.html

rather than just

org.owasp.csrfguard.unprotected.Index=index.html

This is not intuitive since unless you are dealing with the entire Tomcat container (i.e. the master web.xml file) you can generally drop the webapp name since it is implied for that webapp.

Now I'm going to look into the other CSRFGuard method of JSP Tag Injection since the JavaScript mechanism won't work if the user has JavaScript turned off in their browser.

like image 90
user2084967 Avatar answered Jul 03 '26 13:07

user2084967