• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Cross site request forgery

 
lakshmi gullapudi
Greenhorn
Posts: 16
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi ,

one security issue(Cross site request forgery ) found in webapplication scan.

Exception :

2 May 2013 22:35:35,603 [SocketListener0-10] ERROR com.xelus.solos.trans.TransRunner - InvocationTargetException
ava.lang.reflect.InvocationTargetException
at sun.reflect.GeneratedMethodAccessor267.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:324)
at com.xelus.solos.trans.TransRunner.execute(Unknown Source)
at com.xelus.solos.trans.AuthenticateTrans.authenticate(Unknown Source)
at sun.reflect.GeneratedMethodAccessor268.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:324)
at com.xelus.solos.trans.TransRunner.execute(Unknown Source)
at com.xelus.solos.servlet.TransServlet.doPost(Unknown Source)
at com.xelus.solos.servlet.TransServlet.doGet(Unknown Source)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:596)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:689)
at org.mortbay.jetty.servlet.ServletHolder.handle(ServletHolder.java:428)
at org.mortbay.jetty.servlet.ServletHandler.dispatch(ServletHandler.java:666)
at org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:568)
at org.mortbay.http.HttpContext.handle(HttpContext.java:1530)
at org.mortbay.http.HttpContext.handle(HttpContext.java:1482)
at org.mortbay.http.HttpServer.service(HttpServer.java:909)
at org.mortbay.http.HttpConnection.service(HttpConnection.java:816)
at org.mortbay.http.HttpConnection.handleNext(HttpConnection.java:982)
at org.mortbay.http.HttpConnection.handle(HttpConnection.java:833)
at org.mortbay.http.SocketListener.handleConnection(SocketListener.java:244)
at org.mortbay.util.ThreadedServer.handle(ThreadedServer.java:357)
at org.mortbay.util.ThreadPool$PoolThread.run(ThreadPool.java:534)
aused by: com.xelus.solos.persistent.ConcurrentUpdateException: Multiple users are attempting to update the POSITION_LOG
at com.xelus.solos.persistent.PersistentObject.checkUpdateStamp(Unknown Source)
at com.xelus.solos.persistent.PersistentObject.checkUpdateStamp(Unknown Source)
at com.xelus.solos.persistent.PositionLog.save(Unknown Source)
at com.xelus.solos.persistent.User.save(Unknown Source)
at com.xelus.solos.trans.NewsTrans.displayNews(Unknown Source)


It looks like mutiple users are trying to update at same time.. how can we restrict this one..and this exception is occuring on the home page of the application.


Solution is to use anti-Cross-Site Request Forgery tokens...


my problem is we can generate the token only after login into application ..then immediately system is displaying the application home page..so how can we pass and validate the token ?

flow is Login page -> home page


is there any other way to fix this issue...




 
Ulf Dittmer
Rancher
Posts: 42969
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
It doesn't sound as if this has anything to do with CSRF. The usual approach to handle concurrent DB accesses is to use transactions.
 
Bear Bibeault
Author and ninkuma
Marshal
Pie
Posts: 65335
97
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Based upon other posts, you seem to assume that any database problem is a result of CSRF. I'd recommend you read upon what Cross Site Request Forgery actually is.
 
lakshmi gullapudi
Greenhorn
Posts: 16
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
actually in scanned report ,they mentioned it as cross site request forgery..

in logs , i found these exceptions..
 
Ulf Dittmer
Rancher
Posts: 42969
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
What is the "scanned report", and who is "they"?
 
Jeanne Boyarsky
author & internet detective
Marshal
Posts: 35279
384
Eclipse IDE Java VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
A CSRF error is not a database error. However, a CSRF attack could cause a database error to show up in the log. For example, suppose someone executes the same update query via CSRF 1000 times in a minute. It seems likely the concurrency error you are encountering would come up.

However, don't be mislead into thinking this is simple to fix. I think you need to do two things:
1) Fix the CSRF error. Read about how we fixed it on this site. Note that your home page shouldn't be protected against CSRF. It also shouldn't be updating anything (except possibly the last login time.)
2) Fix the concurrency issue. Even without the CSRF issue, what happens if your user has two browsers open? The app shouldn't blow up.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic