You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@struts.apache.org by Alireza Fattahi <af...@yahoo.com> on 2013/09/25 21:52:04 UTC
Prevent Ajax Multi-Request in Struts 2
Hi,
We want to avoid multi-request sent via Ajax in struts 2 web based application.
The `s:token` can be used in regular request-response jsp pages, but it will not work for ajax requests. The problem is the returned respond, which does not populate new value for struts token.
I found this issue at http://stackoverflow.com/questions/13353577/howto-do-csrf-protection-in-struts2-application-for-ajax-requests but I wonder if there is any better way for that? (I think this is a very common issue which must have been managed in struts)
~Regards,
~~Alireza Fattahi
Re: Prevent Ajax Multi-Request in Struts 2
Posted by Paul Benedict <pb...@apache.org>.
Alireza, use some sort of pre-authenticated token. Ignore requests that
have a bad token.
On Thu, Sep 26, 2013 at 7:43 AM, JOSE L MARTINEZ-AVIAL <jl...@gmail.com>wrote:
> Hi,
> Since XHR request can not be cross-domain, you can not get a CSRF through
> XHR( the browser will not allow other page to send a XHR to your server).
> The only option would be a normal post against your supposed-ajax URL. In
> order to protect against it, we check for an HTTP header that is sent on
> any ajax request by our javascript framework (Dojo). A normal form can not
> be manipulate to add that header, so if the request is suppose to be ajax,
> and it does not have the header, you can reject it, because it is a CSRF
> attempt
>
>
> Regards
>
> JL
>
>
>
> 2013/9/25 Alireza Fattahi <af...@yahoo.com>
>
> > Hi,
> >
> > We want to avoid multi-request sent via Ajax in struts 2 web based
> > application.
> >
> > The `s:token` can be used in regular request-response jsp pages, but it
> > will not work for ajax requests. The problem is the returned respond,
> which
> > does not populate new value for struts token.
> >
> > I found this issue at
> >
> http://stackoverflow.com/questions/13353577/howto-do-csrf-protection-in-struts2-application-for-ajax-requestsbutI wonder if there is any better way for that? (I think this is a very
> > common issue which must have been managed in struts)
> >
> >
> > ~Regards,
> > ~~Alireza Fattahi
> >
>
--
Cheers,
Paul
Re: Prevent Ajax Multi-Request in Struts 2
Posted by Alireza Fattahi <af...@yahoo.com>.
Thanks,
I was lootking Multi-Request preventation, is my problem equals to CSRF issue.
~Regards,
~~Alireza Fattahi
________________________________
From: Martin Gainty <mg...@hotmail.com>
To: Struts Users Mailing List <us...@struts.apache.org>
Sent: Friday, 27 September 2013, 0:12
Subject: RE: Prevent Ajax Multi-Request in Struts 2
To Mitigate add a "nonce" to the form
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)
Saludos
Martin-
> Date: Thu, 26 Sep 2013 08:43:12 -0400
> Subject: Re: Prevent Ajax Multi-Request in Struts 2
> From: jlmagc@gmail.com
> To: user@struts.apache.org; afattahi@yahoo.com
>
> Hi,
> Since XHR request can not be cross-domain, you can not get a CSRF through
> XHR( the browser will not allow other page to send a XHR to your server).
> The only option would be a normal post against your supposed-ajax URL. In
> order to protect against it, we check for an HTTP header that is sent on
> any ajax request by our javascript framework (Dojo). A normal form can not
> be manipulate to add that header, so if the request is suppose to be ajax,
> and it does not have the header, you can reject it, because it is a CSRF
> attempt
>
>
> Regards
>
> JL
>
>
>
> 2013/9/25 Alireza Fattahi <af...@yahoo.com>
>
> > Hi,
> >
> > We want to avoid multi-request sent via Ajax in struts 2 web based
> > application.
> >
> > The `s:token` can be used in regular request-response jsp pages, but it
> > will not work for ajax requests. The problem is the returned respond, which
> > does not populate new value for struts token.
> >
> > I found this issue at
> > http://stackoverflow.com/questions/13353577/howto-do-csrf-protection-in-struts2-application-for-ajax-requestsbutI wonder if there is any better way for that? (I think this is a very
> > common issue which must have been managed in struts)
> >
> >
> > ~Regards,
> > ~~Alireza Fattahi
> >
RE: Prevent Ajax Multi-Request in Struts 2
Posted by Martin Gainty <mg...@hotmail.com>.
To Mitigate add a "nonce" to the form
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)
Saludos
Martin-
> Date: Thu, 26 Sep 2013 08:43:12 -0400
> Subject: Re: Prevent Ajax Multi-Request in Struts 2
> From: jlmagc@gmail.com
> To: user@struts.apache.org; afattahi@yahoo.com
>
> Hi,
> Since XHR request can not be cross-domain, you can not get a CSRF through
> XHR( the browser will not allow other page to send a XHR to your server).
> The only option would be a normal post against your supposed-ajax URL. In
> order to protect against it, we check for an HTTP header that is sent on
> any ajax request by our javascript framework (Dojo). A normal form can not
> be manipulate to add that header, so if the request is suppose to be ajax,
> and it does not have the header, you can reject it, because it is a CSRF
> attempt
>
>
> Regards
>
> JL
>
>
>
> 2013/9/25 Alireza Fattahi <af...@yahoo.com>
>
> > Hi,
> >
> > We want to avoid multi-request sent via Ajax in struts 2 web based
> > application.
> >
> > The `s:token` can be used in regular request-response jsp pages, but it
> > will not work for ajax requests. The problem is the returned respond, which
> > does not populate new value for struts token.
> >
> > I found this issue at
> > http://stackoverflow.com/questions/13353577/howto-do-csrf-protection-in-struts2-application-for-ajax-requestsbut I wonder if there is any better way for that? (I think this is a very
> > common issue which must have been managed in struts)
> >
> >
> > ~Regards,
> > ~~Alireza Fattahi
> >
Re: Prevent Ajax Multi-Request in Struts 2
Posted by jl...@gmail.com.
What are you using on the client for the ajax calls? Dojo? Jquery? They both generate an http header “x-requested-with” with value “XMLHTTPrequest”. A normal post can not add http headers, so checking for that header allows you to be sure the request was made using XHR. Since XHR cannot work cross-domain, if the header is present, you can be sure it is not a CSRF. Obviously, this does not work if you are susceptible of code injection.
If you are using plain xhr (no javascript framework) you can add the header yourself. Take a look at how dojo does it.
HIH.
JL
Sent via BlackBerry from T-Mobile
-----Original Message-----
From: Alireza Fattahi <af...@yahoo.com>
Date: Mon, 7 Oct 2013 22:01:47
To: Struts Users Mailing List<us...@struts.apache.org>
Reply-To: "Struts Users Mailing List" <us...@struts.apache.org>
Subject: Re: Prevent Ajax Multi-Request in Struts 2
Jose,
I am still in the middel of this problem :(
Can you please let me know what do you mean by "check HTTP header" ?!
~Regards,
~~Alireza Fattahi
________________________________
From: JOSE L MARTINEZ-AVIAL <jl...@gmail.com>
To: Struts Users Mailing List <us...@struts.apache.org>; Alireza Fattahi <af...@yahoo.com>
Sent: Thursday, 26 September 2013, 16:13
Subject: Re: Prevent Ajax Multi-Request in Struts 2
Hi,
Since XHR request can not be cross-domain, you can not get a CSRF through
XHR( the browser will not allow other page to send a XHR to your server).
The only option would be a normal post against your supposed-ajax URL. In
order to protect against it, we check for an HTTP header that is sent on
any ajax request by our javascript framework (Dojo). A normal form can not
be manipulate to add that header, so if the request is suppose to be ajax,
and it does not have the header, you can reject it, because it is a CSRF
attempt
Regards
JL
2013/9/25 Alireza Fattahi <af...@yahoo.com>
> Hi,
>
> We want to avoid multi-request sent via Ajax in struts 2 web based
> application.
>
> The `s:token` can be used in regular request-response jsp pages, but it
> will not work for ajax requests. The problem is the returned respond, which
> does not populate new value for struts token.
>
> I found this issue at
> http://stackoverflow.com/questions/13353577/howto-do-csrf-protection-in-struts2-application-for-ajax-requestsbutI wonder if there is any better way for that? (I think this is a very
> common issue which must have been managed in struts)
>
>
> ~Regards,
> ~~Alireza Fattahi
>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Prevent Ajax Multi-Request in Struts 2
Posted by jl...@gmail.com.
Sorry, I just read your mail again, and realice you are not asking specifically for csrf protection(the link you provided is about that, but not your mail), but just how to avoid multirequest, so maybe my answer is not usefull at all.
JL
Sent via BlackBerry from T-Mobile
-----Original Message-----
From: jlmagc@gmail.com
Date: Tue, 8 Oct 2013 05:23:05
To: Struts Users Mailing List<us...@struts.apache.org>; Alireza Fattahi<af...@yahoo.com>
Reply-To: jlmagc@gmail.com
Subject: Re: Prevent Ajax Multi-Request in Struts 2
What are you using on the client for the ajax calls? Dojo? Jquery? They both generate an http header “x-requested-with” with value “XMLHTTPrequest”. A normal post can not add http headers, so checking for that header allows you to be sure the request was made using XHR. Since XHR cannot work cross-domain, if the header is present, you can be sure it is not a CSRF. Obviously, this does not work if you are susceptible of code injection.
If you are using plain xhr (no javascript framework) you can add the header yourself. Take a look at how dojo does it.
HIH.
JL
Sent via BlackBerry from T-Mobile
-----Original Message-----
From: Alireza Fattahi <af...@yahoo.com>
Date: Mon, 7 Oct 2013 22:01:47
To: Struts Users Mailing List<us...@struts.apache.org>
Reply-To: "Struts Users Mailing List" <us...@struts.apache.org>
Subject: Re: Prevent Ajax Multi-Request in Struts 2
Jose,
I am still in the middel of this problem :(
Can you please let me know what do you mean by "check HTTP header" ?!
~Regards,
~~Alireza Fattahi
________________________________
From: JOSE L MARTINEZ-AVIAL <jl...@gmail.com>
To: Struts Users Mailing List <us...@struts.apache.org>; Alireza Fattahi <af...@yahoo.com>
Sent: Thursday, 26 September 2013, 16:13
Subject: Re: Prevent Ajax Multi-Request in Struts 2
Hi,
Since XHR request can not be cross-domain, you can not get a CSRF through
XHR( the browser will not allow other page to send a XHR to your server).
The only option would be a normal post against your supposed-ajax URL. In
order to protect against it, we check for an HTTP header that is sent on
any ajax request by our javascript framework (Dojo). A normal form can not
be manipulate to add that header, so if the request is suppose to be ajax,
and it does not have the header, you can reject it, because it is a CSRF
attempt
Regards
JL
2013/9/25 Alireza Fattahi <af...@yahoo.com>
> Hi,
>
> We want to avoid multi-request sent via Ajax in struts 2 web based
> application.
>
> The `s:token` can be used in regular request-response jsp pages, but it
> will not work for ajax requests. The problem is the returned respond, which
> does not populate new value for struts token.
>
> I found this issue at
> http://stackoverflow.com/questions/13353577/howto-do-csrf-protection-in-struts2-application-for-ajax-requestsbutI wonder if there is any better way for that? (I think this is a very
> common issue which must have been managed in struts)
>
>
> ~Regards,
> ~~Alireza Fattahi
>
Re: Prevent Ajax Multi-Request in Struts 2
Posted by Alireza Fattahi <af...@yahoo.com>.
Jose,
I am still in the middel of this problem :(
Can you please let me know what do you mean by "check HTTP header" ?!
~Regards,
~~Alireza Fattahi
________________________________
From: JOSE L MARTINEZ-AVIAL <jl...@gmail.com>
To: Struts Users Mailing List <us...@struts.apache.org>; Alireza Fattahi <af...@yahoo.com>
Sent: Thursday, 26 September 2013, 16:13
Subject: Re: Prevent Ajax Multi-Request in Struts 2
Hi,
Since XHR request can not be cross-domain, you can not get a CSRF through
XHR( the browser will not allow other page to send a XHR to your server).
The only option would be a normal post against your supposed-ajax URL. In
order to protect against it, we check for an HTTP header that is sent on
any ajax request by our javascript framework (Dojo). A normal form can not
be manipulate to add that header, so if the request is suppose to be ajax,
and it does not have the header, you can reject it, because it is a CSRF
attempt
Regards
JL
2013/9/25 Alireza Fattahi <af...@yahoo.com>
> Hi,
>
> We want to avoid multi-request sent via Ajax in struts 2 web based
> application.
>
> The `s:token` can be used in regular request-response jsp pages, but it
> will not work for ajax requests. The problem is the returned respond, which
> does not populate new value for struts token.
>
> I found this issue at
> http://stackoverflow.com/questions/13353577/howto-do-csrf-protection-in-struts2-application-for-ajax-requestsbutI wonder if there is any better way for that? (I think this is a very
> common issue which must have been managed in struts)
>
>
> ~Regards,
> ~~Alireza Fattahi
>
Re: Prevent Ajax Multi-Request in Struts 2
Posted by JOSE L MARTINEZ-AVIAL <jl...@gmail.com>.
Hi,
Since XHR request can not be cross-domain, you can not get a CSRF through
XHR( the browser will not allow other page to send a XHR to your server).
The only option would be a normal post against your supposed-ajax URL. In
order to protect against it, we check for an HTTP header that is sent on
any ajax request by our javascript framework (Dojo). A normal form can not
be manipulate to add that header, so if the request is suppose to be ajax,
and it does not have the header, you can reject it, because it is a CSRF
attempt
Regards
JL
2013/9/25 Alireza Fattahi <af...@yahoo.com>
> Hi,
>
> We want to avoid multi-request sent via Ajax in struts 2 web based
> application.
>
> The `s:token` can be used in regular request-response jsp pages, but it
> will not work for ajax requests. The problem is the returned respond, which
> does not populate new value for struts token.
>
> I found this issue at
> http://stackoverflow.com/questions/13353577/howto-do-csrf-protection-in-struts2-application-for-ajax-requestsbut I wonder if there is any better way for that? (I think this is a very
> common issue which must have been managed in struts)
>
>
> ~Regards,
> ~~Alireza Fattahi
>