You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@struts.apache.org by Alireza Fattahi <af...@yahoo.com> on 2013/10/08 07:01:47 UTC

Re: Prevent Ajax Multi-Request in Struts 2

Jose,
 
I am still in the middel of this problem :(
Can you please let me know what do you mean by "check HTTP header" ?!

~Regards,
~~Alireza Fattahi
 

________________________________
 From: JOSE L MARTINEZ-AVIAL <jl...@gmail.com>
To: Struts Users Mailing List <us...@struts.apache.org>; Alireza Fattahi <af...@yahoo.com> 
Sent: Thursday, 26 September 2013, 16:13
Subject: Re: Prevent Ajax Multi-Request in Struts 2
  

Hi,
  Since XHR request can not be cross-domain, you can not get a CSRF through
XHR( the browser will not allow other page to send a XHR to your server).
The only option would be a normal post against your supposed-ajax URL. In
order to protect against it, we check for an HTTP header that is sent on
any ajax request by our javascript framework (Dojo). A normal form can not
be manipulate to add that header, so if the request is suppose to be ajax,
and it does not have the header, you can reject it, because it is a CSRF
attempt


Regards

JL




2013/9/25 Alireza Fattahi <af...@yahoo.com>

> Hi,
>
> We want to avoid multi-request sent via Ajax in struts 2 web based
> application.
>
> The `s:token` can be used in regular request-response jsp pages, but it
> will not work for ajax requests. The problem is the returned respond, which
> does not populate new value for struts token.
>
> I found this issue at
> http://stackoverflow.com/questions/13353577/howto-do-csrf-protection-in-struts2-application-for-ajax-requestsbutI wonder if there is any better way for that? (I think this is a very
> common issue which must have been managed in struts)
>
>
> ~Regards,
> ~~Alireza Fattahi
>

Re: Prevent Ajax Multi-Request in Struts 2

Posted by jl...@gmail.com.
What are you using on the client for the ajax calls? Dojo? Jquery? They both generate an http header “x-requested-with” with value “XMLHTTPrequest”. A normal post can not add http headers, so checking for that header allows you to be sure the request was made using XHR. Since XHR cannot work cross-domain, if the header is present, you can be sure it is not a CSRF. Obviously, this does not work if you are susceptible of code injection.

If you are using plain xhr (no javascript framework) you can add the header yourself. Take a look at how dojo does it.

HIH.

JL
Sent via BlackBerry from T-Mobile

-----Original Message-----
From: Alireza Fattahi <af...@yahoo.com>
Date: Mon, 7 Oct 2013 22:01:47 
To: Struts Users Mailing List<us...@struts.apache.org>
Reply-To: "Struts Users Mailing List" <us...@struts.apache.org>
Subject: Re: Prevent Ajax Multi-Request in Struts 2

Jose,
 
I am still in the middel of this problem :(
Can you please let me know what do you mean by "check HTTP header" ?!

~Regards,
~~Alireza Fattahi
 

________________________________
 From: JOSE L MARTINEZ-AVIAL <jl...@gmail.com>
To: Struts Users Mailing List <us...@struts.apache.org>; Alireza Fattahi <af...@yahoo.com> 
Sent: Thursday, 26 September 2013, 16:13
Subject: Re: Prevent Ajax Multi-Request in Struts 2
  

Hi,
  Since XHR request can not be cross-domain, you can not get a CSRF through
XHR( the browser will not allow other page to send a XHR to your server).
The only option would be a normal post against your supposed-ajax URL. In
order to protect against it, we check for an HTTP header that is sent on
any ajax request by our javascript framework (Dojo). A normal form can not
be manipulate to add that header, so if the request is suppose to be ajax,
and it does not have the header, you can reject it, because it is a CSRF
attempt


Regards

JL




2013/9/25 Alireza Fattahi <af...@yahoo.com>

> Hi,
>
> We want to avoid multi-request sent via Ajax in struts 2 web based
> application.
>
> The `s:token` can be used in regular request-response jsp pages, but it
> will not work for ajax requests. The problem is the returned respond, which
> does not populate new value for struts token.
>
> I found this issue at
> http://stackoverflow.com/questions/13353577/howto-do-csrf-protection-in-struts2-application-for-ajax-requestsbutI wonder if there is any better way for that? (I think this is a very
> common issue which must have been managed in struts)
>
>
> ~Regards,
> ~~Alireza Fattahi
>

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org

Re: Prevent Ajax Multi-Request in Struts 2

Posted by jl...@gmail.com.
Sorry, I just read your mail again, and realice you are not asking specifically for csrf protection(the link you provided is about that, but not your mail), but just how to avoid multirequest, so maybe my answer is not usefull at all.

JL
Sent via BlackBerry from T-Mobile

-----Original Message-----
From: jlmagc@gmail.com
Date: Tue, 8 Oct 2013 05:23:05 
To: Struts Users Mailing List<us...@struts.apache.org>; Alireza Fattahi<af...@yahoo.com>
Reply-To: jlmagc@gmail.com
Subject: Re: Prevent Ajax Multi-Request in Struts 2

What are you using on the client for the ajax calls? Dojo? Jquery? They both generate an http header “x-requested-with” with value “XMLHTTPrequest”. A normal post can not add http headers, so checking for that header allows you to be sure the request was made using XHR. Since XHR cannot work cross-domain, if the header is present, you can be sure it is not a CSRF. Obviously, this does not work if you are susceptible of code injection.

If you are using plain xhr (no javascript framework) you can add the header yourself. Take a look at how dojo does it.

HIH.

JL
Sent via BlackBerry from T-Mobile

-----Original Message-----
From: Alireza Fattahi <af...@yahoo.com>
Date: Mon, 7 Oct 2013 22:01:47 
To: Struts Users Mailing List<us...@struts.apache.org>
Reply-To: "Struts Users Mailing List" <us...@struts.apache.org>
Subject: Re: Prevent Ajax Multi-Request in Struts 2

Jose,
 
I am still in the middel of this problem :(
Can you please let me know what do you mean by "check HTTP header" ?!

~Regards,
~~Alireza Fattahi
 

________________________________
 From: JOSE L MARTINEZ-AVIAL <jl...@gmail.com>
To: Struts Users Mailing List <us...@struts.apache.org>; Alireza Fattahi <af...@yahoo.com> 
Sent: Thursday, 26 September 2013, 16:13
Subject: Re: Prevent Ajax Multi-Request in Struts 2
  

Hi,
  Since XHR request can not be cross-domain, you can not get a CSRF through
XHR( the browser will not allow other page to send a XHR to your server).
The only option would be a normal post against your supposed-ajax URL. In
order to protect against it, we check for an HTTP header that is sent on
any ajax request by our javascript framework (Dojo). A normal form can not
be manipulate to add that header, so if the request is suppose to be ajax,
and it does not have the header, you can reject it, because it is a CSRF
attempt


Regards

JL




2013/9/25 Alireza Fattahi <af...@yahoo.com>

> Hi,
>
> We want to avoid multi-request sent via Ajax in struts 2 web based
> application.
>
> The `s:token` can be used in regular request-response jsp pages, but it
> will not work for ajax requests. The problem is the returned respond, which
> does not populate new value for struts token.
>
> I found this issue at
> http://stackoverflow.com/questions/13353577/howto-do-csrf-protection-in-struts2-application-for-ajax-requestsbutI wonder if there is any better way for that? (I think this is a very
> common issue which must have been managed in struts)
>
>
> ~Regards,
> ~~Alireza Fattahi
>