Tuesday, March 06, 2012

DWR:A request has been denied as a potential CSRF attack

Just in case you hit the same issue as me :)

"A request has been denied as a potential CSRF attack" Was facing this exception whenever a DWR call was made on specific browsers on different deployments. 

The issue was very inconsistent; what do I mean by that ? 
a) Unable to reproduce on dev instance across any browser
b) Reproducible on the Internal UAT instance only from Chrome browser
c) Reproducible on the client UAT instance on all the browsers - Chrome, IE, FF.

Following is the analysis as to why we were getting the SecurityException
  1. We had a requirement to implement HttpOnly feature. Therefore carried out an implementation of HttpOnly very similar to what is mentioned here - https://www.owasp.org/index.php/HttpOnly 
  2. Now this very implementation was causing the DWR to throw Security Exception.
  3. This thread - http://directwebremoting.org/jira/browse/DWR-440 - in particular was helpful to understand the internal working of DWR container
  4. The reason why I was facing the CSRF attack was because I was manipulating the JSESSIONID. Usually, JSESSIONIDs are generated by the Servlet Container & I was manipulating the JSESSIONID for HttpOnly as per the requirement.
  5. Here is another blog entry - http://alexsmolen.com/blog/?p=16 - which is quite informative on the java limitations of HttpOnly. The Cookie interface doesn't provide us the simple setter & getter for HttpOnly
  6. During this debugging got to know the DWR container security implementation. They have taken care of many concerns in the AJAX or JS related attacks - http://directwebremoting.org/dwr/documentation/security/index.html

Referenced links:

Labels: , ,


Blogger Mary said...

Hello, How do I get in touch with you? There is no email or contact info listed .. please advise .. thanks .. Mary. Please contact me maryregency at gmail dot com

8:47 AM  

Post a Comment

<< Home