Running jasperserver behind nginx: Potential CSRF attack

Question

We are using nginx for https traffic offloading, proxying to a locally installed jasperserver (5.2) running on port 8080.

internet ---(https/443)---> nginx ---(http/8080)---> tomcat/jasperserver

When accessing the jasperserver directly on its port everything is fine. When accessing the service through nginx some functionalities are broken (e.g. editing a user in the jasperserver UI) and the jasperserver log has entries like this:

CSRFGuard: potential cross-site request forgery (CSRF) attack thwarted (user:%user%, ip:%remote_ip%, uri:%request_uri%, error:%exception_message%)

After some debugging we found the cause for this:

In its standard configuration nginx is not forwarding request headers that contain underscores in their name. Jasperserver (and the OWASP framework) however default to using underscores for transmitting the csrf token (JASPER_CSRF_TOKEN and OWASP_CSRFTOKEN respectively).

Solution is to either:

• nginx: allow underscores in headers

  server {
     ...
     underscores_in_headers on;
  

• jasperserver: change token configuration name in jasperserver-pro/WEB-INF/esapi/Owasp.CsrfGuard.properties

Also see here:

• header variables go missing in production
• http://wiki.nginx.org/HttpCoreModule#underscores_in_headers

Answer 1

Answered it myself - hopefully this is of some use to others,too

Answer 2

I had this issue with Jasperserver 5.5 AWS AMI

More specific:

/var/lib/tomcat7/webapps/jasperserver-pro/WEB-INF/esapi/Owasp.CsrfGuard.properties

Change:

org.owasp.csrfguard.TokenName=JASPER_CSRF_TOKEN
org.owasp.csrfguard.SessionKey=JASPER_CSRF_SESSION_KEY

To:

org.owasp.csrfguard.TokenName=JASPERCSRFTOKEN
org.owasp.csrfguard.SessionKey=JASPERCSRFSESSIONKEY