struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alireza Fattahi <afatt...@yahoo.com>
Subject Re: Prevent Ajax Multi-Request in Struts 2
Date Mon, 30 Sep 2013 10:23:20 GMT
Thanks, 
I was lootking Multi-Request preventation, is my problem  equals to  CSRF issue.
 
 
~Regards,
~~Alireza Fattahi
 

________________________________
 From: Martin Gainty <mgainty@hotmail.com>
To: Struts Users Mailing List <user@struts.apache.org> 
Sent: Friday, 27 September 2013, 0:12
Subject: RE: Prevent Ajax Multi-Request in Struts 2
  

To Mitigate add a "nonce" to the form

https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)

Saludos
Martin-
  


> Date: Thu, 26 Sep 2013 08:43:12 -0400
> Subject: Re: Prevent Ajax Multi-Request in Struts 2
> From: jlmagc@gmail.com
> To: user@struts.apache.org; afattahi@yahoo.com
> 
> Hi,
> Since XHR request can not be cross-domain, you can not get a CSRF through
> XHR( the browser will not allow other page to send a XHR to your server).
> The only option would be a normal post against your supposed-ajax URL. In
> order to protect against it, we check for an HTTP header that is sent on
> any ajax request by our javascript framework (Dojo). A normal form can not
> be manipulate to add that header, so if the request is suppose to be ajax,
> and it does not have the header, you can reject it, because it is a CSRF
> attempt
> 
> 
> Regards
> 
> JL
> 
> 
> 
> 2013/9/25 Alireza Fattahi <afattahi@yahoo.com>
> 
> > Hi,
> >
> > We want to avoid multi-request sent via Ajax in struts 2 web based
> > application.
> >
> > The `s:token` can be used in regular request-response jsp pages, but it
> > will not work for ajax requests. The problem is the returned respond, which
> > does not populate new value for struts token.
> >
> > I found this issue at
> > http://stackoverflow.com/questions/13353577/howto-do-csrf-protection-in-struts2-application-for-ajax-requestsbutI
wonder if there is any better way for that? (I think this is a very
> > common issue which must have been managed in struts)
> >
> >
> > ~Regards,
> > ~~Alireza Fattahi
> >
Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message