• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Ron McLeod
  • Rob Spoor
  • Tim Cooke
  • Junilu Lacar
Sheriffs:
  • Henry Wong
  • Liutauras Vilda
  • Jeanne Boyarsky
Saloon Keepers:
  • Jesse Silverman
  • Tim Holloway
  • Stephan van Hulst
  • Tim Moores
  • Carey Brown
Bartenders:
  • Al Hobbs
  • Mikalai Zaikin
  • Piet Souris

Cross site request forgery

 
Greenhorn
Posts: 20
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi ,

one security issue(Cross site request forgery ) found in webapplication scan.

Exception :

2 May 2013 22:35:35,603 [SocketListener0-10] ERROR com.xelus.solos.trans.TransRunner - InvocationTargetException
ava.lang.reflect.InvocationTargetException
at sun.reflect.GeneratedMethodAccessor267.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:324)
at com.xelus.solos.trans.TransRunner.execute(Unknown Source)
at com.xelus.solos.trans.AuthenticateTrans.authenticate(Unknown Source)
at sun.reflect.GeneratedMethodAccessor268.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:324)
at com.xelus.solos.trans.TransRunner.execute(Unknown Source)
at com.xelus.solos.servlet.TransServlet.doPost(Unknown Source)
at com.xelus.solos.servlet.TransServlet.doGet(Unknown Source)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:596)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:689)
at org.mortbay.jetty.servlet.ServletHolder.handle(ServletHolder.java:428)
at org.mortbay.jetty.servlet.ServletHandler.dispatch(ServletHandler.java:666)
at org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:568)
at org.mortbay.http.HttpContext.handle(HttpContext.java:1530)
at org.mortbay.http.HttpContext.handle(HttpContext.java:1482)
at org.mortbay.http.HttpServer.service(HttpServer.java:909)
at org.mortbay.http.HttpConnection.service(HttpConnection.java:816)
at org.mortbay.http.HttpConnection.handleNext(HttpConnection.java:982)
at org.mortbay.http.HttpConnection.handle(HttpConnection.java:833)
at org.mortbay.http.SocketListener.handleConnection(SocketListener.java:244)
at org.mortbay.util.ThreadedServer.handle(ThreadedServer.java:357)
at org.mortbay.util.ThreadPool$PoolThread.run(ThreadPool.java:534)
aused by: com.xelus.solos.persistent.ConcurrentUpdateException: Multiple users are attempting to update the POSITION_LOG
at com.xelus.solos.persistent.PersistentObject.checkUpdateStamp(Unknown Source)
at com.xelus.solos.persistent.PersistentObject.checkUpdateStamp(Unknown Source)
at com.xelus.solos.persistent.PositionLog.save(Unknown Source)
at com.xelus.solos.persistent.User.save(Unknown Source)
at com.xelus.solos.trans.NewsTrans.displayNews(Unknown Source)


It looks like mutiple users are trying to update at same time.. how can we restrict this one..and this exception is occuring on the home page of the application.


Solution is to use anti-Cross-Site Request Forgery tokens...


my problem is we can generate the token only after login into application ..then immediately system is displaying the application home page..so how can we pass and validate the token ?

flow is Login page -> home page


is there any other way to fix this issue...




 
Rancher
Posts: 43026
76
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
It doesn't sound as if this has anything to do with CSRF. The usual approach to handle concurrent DB accesses is to use transactions.
 
Sheriff
Posts: 67590
173
Mac Mac OS X IntelliJ IDE jQuery TypeScript Java iOS
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Based upon other posts, you seem to assume that any database problem is a result of CSRF. I'd recommend you read upon what Cross Site Request Forgery actually is.
 
lakshmi gullapudi
Greenhorn
Posts: 20
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
actually in scanned report ,they mentioned it as cross site request forgery..

in logs , i found these exceptions..
 
Ulf Dittmer
Rancher
Posts: 43026
76
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
What is the "scanned report", and who is "they"?
 
author & internet detective
Posts: 40746
827
Eclipse IDE VI Editor Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
A CSRF error is not a database error. However, a CSRF attack could cause a database error to show up in the log. For example, suppose someone executes the same update query via CSRF 1000 times in a minute. It seems likely the concurrency error you are encountering would come up.

However, don't be mislead into thinking this is simple to fix. I think you need to do two things:
1) Fix the CSRF error. Read about how we fixed it on this site. Note that your home page shouldn't be protected against CSRF. It also shouldn't be updating anything (except possibly the last login time.)
2) Fix the concurrency issue. Even without the CSRF issue, what happens if your user has two browsers open? The app shouldn't blow up.
 
Consider Paul's rocket mass heater.
reply
    Bookmark Topic Watch Topic
  • New Topic