wso2/jaggery

Upload Jaggery application fail in carbon management console with CSRF protection

Opened this issue · 1 comments

Upload Jaggery application fail in carbon management console with CSRF protection. This issue is reproducible with the WSO2 EMM 2.2.0 pack.

Steps to reproduce.

Start the EMM 2.2.0
Log into carbon management console
Add jaggery app
Hit upload
You can see the following error message

[2017-03-16 11:16:49,282] WARN {org.owasp.csrfguard.log.JavaLogger} - potential cross-site request forgery (CSRF) attack thwarted (user:, ip:127.0.0.1, method:POST, uri:/fileupload/jaggeryapp, error:required token is missing from the request)
Regards,
Vishanth

Moved from https://wso2.org/jira/projects/JAGGERY/issues/JAGGERY-430

The correct way to avoid this issue is sending the CSRF token along with the request. Since this is a JSP page and the request is done through a form submit, in the JSP page following should be added.

On top of the page, following taglib should be added which references the OWASP CSRF Guard.

<%@ taglib uri="http://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project/Owasp.CsrfGuard.tld" prefix="csrf" %>
Then in the HTML form, following parameter should be added in the action.

<csrf:tokenname/>=<csrf:tokenvalue/>

So, the sample action looks like below.

action="../../fileupload/jaggeryapp?<csrf:tokenname/>=<csrf:tokenvalue/>"