Prince Manchanda wrote:We implemented OWASP's CSRFGuard to protect our pages in the web application. For example */myCsrfProtected.jsp. We have injected CSRF token at all occurrences of */myCsrfProtected.jsp within the application. Everything works fine.
However, we have other use case where the link to this protected page is sent out to users in an email. Think about a link to a report. Now when user clicks on this link, the token is missing or invalid and hence the CSRFGuard filter blocks the request assuming this to be a CSRF attack. (this is what filter has been implemented for :-) )
Is there any way to handle this use case and allow access to CSRF protected page from outside the application.
Hi, this is a great question because it highlights exactly what CSRF is and what CSRF guards should be used for. CSRF is usually defined as a way to trick people into triggering requests that change stuff (like deleting, updating, or creating records) if the request doesn't change data, but is just used to view a page or generate a report, then it probably doesn't need CSRF Guard, right? CSRF is used guarantee with the use of a one-time token that the request was generated from a page
within the web application. So, the short answer to your question is no, you don't want to use CSRF Guard on a page that you want accessed via an email link.
You should be able to skip CSRF protection for these pages.