我已经尝试了所有WSO2指南来启用网络cookie上的CSRF属性,并提交身份验证端点webapp的GET方法的形式,但仍然无法实现结果。
我在GET方法的响应中收到身份验证端点的“缺少CSRF令牌” ZAP漏洞,因为它不包含隐藏参数-响应主体的表单提交标签中的csrf令牌。
已引用的WSO2链接:
https://wso2.com/technical-reports/wso2-secure-engineering-guidelines#C03
ZAP漏洞中提供的信息:
No known Anti-CSRF token [anticsrf, CSRFToken, __RequestVerificationToken, csrfmiddlewaretoken, authenticity_token, OWASP_CSRFTOKEN, anoncsrf, csrf_token, _csrf, _csrfSecret] was found in the following HTML form: [Form 1: "tocommonauth" "username" "password" "chkRemember" "sessionDataKey" ].
authenticationendpoint webapp的web.xml
<?xml version="1.0" encoding="UTF-8"?><!--
~ Copyright (c) 2014, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
~
~ WSO2 Inc. licenses this file to you under the Apache License,
~ Version 2.0 (the "License"); you may not use this file except
~ in compliance with the License.
~ You may obtain a copy of the License at
~
~ http://www.apache.org/licenses/LICENSE-2.0
~
~ Unless required by applicable law or agreed to in writing,
~ software distributed under the License is distributed on an
~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
~ KIND, either express or implied. See the License for the
~ specific language governing permissions and limitations
~ under the License.
-->
<web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
version="3.0" metadata-complete="true">
<absolute-ordering />
<!-- OWASP CSRFGuard context listener used to read CSRF configuration -->
<listener>
<listener-class>org.owasp.csrfguard.CsrfGuardServletContextListener</listener-class>
</listener>
<!-- OWASP CSRFGuard session listener used to generate per-session CSRF
token -->
<listener>
<listener-class>org.owasp.csrfguard.CsrfGuardHttpSessionListener</listener-class>
</listener>
<!-- OWASP CSRFGuard per-application configuration property file location -->
<context-param>
<param-name>Owasp.CsrfGuard.Config</param-name>
<param-value>/repository/conf/security/Owasp.CsrfGuard.properties</param-value>
</context-param>
<!-- OWASP CSRFGuard filter used to validate CSRF token -->
<filter>
<filter-name>CSRFGuard</filter-name>
<filter-class>org.owasp.csrfguard.CsrfGuardFilter</filter-class>
</filter>
<!-- OWASP CSRFGuard filter mapping used to validate CSRF token -->
<filter-mapping>
<filter-name>CSRFGuard</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- OWASP CSRFGuard servlet that serves dynamic token injection JavaScript
(application can customize the URL pattern as required) -->
<servlet>
<servlet-name>JavaScriptServlet</servlet-name>
<servlet-class>org.owasp.csrfguard.servlet.JavaScriptServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>JavaScriptServlet</servlet-name>
<url-pattern>/csrfguard.js</url-pattern>
</servlet-mapping>
<!-- *************** Account Recovery Endpoint Context URL Configuration
********************** -->
<!--context-param> <param-name>IdentityManagementEndpointContextURL</param-name>
<param-value>https://localhost:9443/accountrecoveryendpoint</param-value>
</context-param -->
<context-param>
<param-name>AccountRecoveryRESTEndpointURL</param-name>
<param-value>/t/tenant-domain/api/identity/user/v1.0/</param-value>
</context-param>
<!-- *************** End of Authentication REST API URL Configuration ********************** -->
<!--Display scopes in the consent page. -->
<context-param>
<param-name>displayScopes</param-name>
<param-value>true</param-value>
</context-param>
<filter>
<filter-name>HttpHeaderSecurityFilter</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<init-param>
<param-name>hstsEnabled</param-name>
<param-value>false</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>HttpHeaderSecurityFilter</filter-name>
<url-pattern>*</url-pattern>
</filter-mapping>
<filter>
<filter-name>AuthenticationEndpointFilter</filter-name>
<filter-class>
org.wso2.carbon.identity.application.authentication.endpoint.util.filter.AuthenticationEndpointFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>AuthenticationEndpointFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter>
<filter-name>URLBasedCachePreventionFilter</filter-name>
<filter-class>org.wso2.carbon.ui.filters.cache.URLBasedCachePreventionFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>URLBasedCachePreventionFilter</filter-name>
<url-pattern>*.jsp</url-pattern>
</filter-mapping>
<filter>
<filter-name>ContentTypeBasedCachePreventionFilter</filter-name>
<filter-class>
org.wso2.carbon.ui.filters.cache.ContentTypeBasedCachePreventionFilter</filter-class>
<init-param>
<param-name>patterns</param-name>
<param-value>"text/html" ,"application/json" ,"plain/text"</param-value>
</init-param>
<init-param>
<param-name>filterAction</param-name>
<param-value>enforce</param-value>
</init-param>
<init-param>
<param-name>httpHeaders</param-name>
<param-value>
Cache-Control: no-store, no-cache, must-revalidate, private
</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>ContentTypeBasedCachePreventionFilter</filter-name>
<url-pattern>*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher>
</filter-mapping>
<listener>
<listener-class>
org.wso2.carbon.identity.application.authentication.endpoint.util.listener.AuthenticationEndpointContextListener</listener-class>
</listener>
<servlet>
<servlet-name>retry.do</servlet-name>
<jsp-file>/retry.jsp</jsp-file>
</servlet>
<servlet>
<servlet-name>wait.do</servlet-name>
<jsp-file>/long-wait.jsp</jsp-file>
</servlet>
<servlet>
<servlet-name>idf-confirm.do</servlet-name>
<jsp-file>/identifier-logout-confirm.jsp</jsp-file>
</servlet>
<servlet>
<servlet-name>dynamic_prompt.do</servlet-name>
<jsp-file>/dynamic_prompt.jsp</jsp-file>
</servlet>
<servlet>
<servlet-name>handle-multiple-sessions.do</servlet-name>
<jsp-file>/handle-multiple-sessions.jsp</jsp-file>
</servlet>
<servlet>
<servlet-name>claims.do</servlet-name>
<jsp-file>/requested-claims.jsp</jsp-file>
</servlet>
<servlet>
<servlet-name>oauth2_login.do</servlet-name>
<jsp-file>/login.jsp</jsp-file>
</servlet>
<servlet>
<servlet-name>oauth2_authz.do</servlet-name>
<jsp-file>/oauth2_authz.jsp</jsp-file>
</servlet>
<servlet>
<servlet-name>oauth2_consent.do</servlet-name>
<jsp-file>/oauth2_consent.jsp</jsp-file>
</servlet>
<servlet>
<servlet-name>oauth2_logout_consent.do</servlet-name>
<jsp-file>/oauth2_logout_consent.jsp</jsp-file>
</servlet>
<servlet>
<servlet-name>oauth2_logout.do</servlet-name>
<jsp-file>/logout.jsp</jsp-file>
</servlet>
<servlet>
<servlet-name>oauth2_error.do</servlet-name>
<jsp-file>/oauth2_error.jsp</jsp-file>
</servlet>
<servlet>
<servlet-name>samlsso_login.do</servlet-name>
<jsp-file>/login.jsp</jsp-file>
</servlet>
<servlet>
<servlet-name>samlsso_logout.do</servlet-name>
<jsp-file>/logout.jsp</jsp-file>
</servlet>
<servlet>
<servlet-name>samlsso_redirect.do</servlet-name>
<jsp-file>/login.jsp</jsp-file>
</servlet>
<servlet>
<servlet-name>samlsso_notification.do</servlet-name>
<jsp-file>/samlsso_notification.jsp</jsp-file>
</servlet>
<servlet>
<servlet-name>openid_login.do</servlet-name>
<jsp-file>/login.jsp</jsp-file>
</servlet>
<servlet>
<servlet-name>openid_profile.do</servlet-name>
<jsp-file>/openid_profile.jsp</jsp-file>
</servlet>
<servlet>
<servlet-name>passivests_login.do</servlet-name>
<jsp-file>/login.jsp</jsp-file>
</servlet>
<servlet>
<servlet-name>tenantlistrefresher.do</servlet-name>
<jsp-file>/tenant_refresh_endpoint.jsp</jsp-file>
</servlet>
<servlet>
<servlet-name>registration.do</servlet-name>
<jsp-file>/registration.jsp</jsp-file>
</servlet>
<servlet>
<servlet-name>consent.do</servlet-name>
<jsp-file>/consent.jsp</jsp-file>
</servlet>
<servlet>
<servlet-name>cookie_policy.do</servlet-name>
<jsp-file>/cookie_policy.jsp</jsp-file>
</servlet>
<servlet>
<servlet-name>privacy_policy.do</servlet-name>
<jsp-file>/privacy_policy.jsp</jsp-file>
</servlet>
<servlet>
<servlet-name>authenticate.do</servlet-name>
<jsp-file>/authenticate.jsp</jsp-file>
</servlet>
<servlet>
<servlet-name>error.do</servlet-name>
<jsp-file>/generic-exception-response.jsp</jsp-file>
</servlet>
<servlet-mapping>
<servlet-name>retry.do</servlet-name>
<url-pattern>/retry.do</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>wait.do</servlet-name>
<url-pattern>/wait.do</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>idf-confirm.do</servlet-name>
<url-pattern>/idf-confirm.do</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>dynamic_prompt.do</servlet-name>
<url-pattern>/dynamic_prompt.do</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>handle-multiple-sessions.do</servlet-name>
<url-pattern>/handle-multiple-sessions.do</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>oauth2_login.do</servlet-name>
<url-pattern>/oauth2_login.do</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>oauth2_authz.do</servlet-name>
<url-pattern>/oauth2_authz.do</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>oauth2_consent.do</servlet-name>
<url-pattern>/oauth2_consent.do</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>oauth2_logout_consent.do</servlet-name>
<url-pattern>/oauth2_logout_consent.do</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>oauth2_logout.do</servlet-name>
<url-pattern>/oauth2_logout.do</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>oauth2_error.do</servlet-name>
<url-pattern>/oauth2_error.do</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>samlsso_login.do</servlet-name>
<url-pattern>/samlsso_login.do</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>samlsso_logout.do</servlet-name>
<url-pattern>/samlsso_logout.do</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>samlsso_redirect.do</servlet-name>
<url-pattern>/samlsso_redirect.do</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>samlsso_notification.do</servlet-name>
<url-pattern>/samlsso_notification.do</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>openid_login.do</servlet-name>
<url-pattern>/openid_login.do</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>openid_profile.do</servlet-name>
<url-pattern>/openid_profile.do</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>passivests_login.do</servlet-name>
<url-pattern>/passivests_login.do</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>tenantlistrefresher.do</servlet-name>
<url-pattern>/tenantlistrefresher.do</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>registration.do</servlet-name>
<url-pattern>/registration.do</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>claims.do</servlet-name>
<url-pattern>/claims.do</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>consent.do</servlet-name>
<url-pattern>/consent.do</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>cookie_policy.do</servlet-name>
<url-pattern>/cookie_policy.do</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>privacy_policy.do</servlet-name>
<url-pattern>/privacy_policy.do</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>authenticate.do</servlet-name>
<url-pattern>/authenticate.do</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>error.do</servlet-name>
<url-pattern>/error.do</url-pattern>
</servlet-mapping>
<error-page>
<exception-type>java.lang.Throwable</exception-type>
<location>/generic-exception-response.jsp</location>
</error-page>
<!-- custom error pages -->
<error-page>
<error-code>400</error-code>
<location>/errors/error_400.html</location>
</error-page>
<error-page>
<error-code>401</error-code>
<location>/errors/error_401.html</location>
</error-page>
<error-page>
<error-code>403</error-code>
<location>/errors/error_403.html</location>
</error-page>
<error-page>
<error-code>404</error-code>
<location>/errors/error_404.html</location>
</error-page>
<error-page>
<error-code>405</error-code>
<location>/errors/error_405.html</location>
</error-page>
<error-page>
<error-code>408</error-code>
<location>/errors/error_408.html</location>
</error-page>
<error-page>
<error-code>410</error-code>
<location>/errors/error_410.html</location>
</error-page>
<error-page>
<error-code>500</error-code>
<location>/errors/error_500.html</location>
</error-page>
<error-page>
<error-code>502</error-code>
<location>/errors/error_502.html</location>
</error-page>
<error-page>
<error-code>503</error-code>
<location>/errors/error_503.html</location>
</error-page>
<error-page>
<error-code>504</error-code>
<location>/errors/error_504.html</location>
</error-page>
<error-page>
<location>/errors/error.html</location>
</error-page>
<session-config>
<cookie-config>
<secure>true</secure>
</cookie-config>
</session-config>
</web-app>
默认情况下,产品随附的所有Web应用程序都受到CSRF攻击的保护[1]
对于WSO2 Identity Server,用于缓解CSRF的配置默认情况下,对所有已构建的应用程序启用攻击进入产品。因此,您需要应用这些配置手动,只有当您已部署任何自定义应用程序时产品。
所以您不需要任何额外的配置。
根据ZAP漏洞扫描中提供的信息,它会将身份验证端点Web应用程序内部的commonauth请求检测为漏洞。错了,让我解释一下原因。
什么是authenticationendpoint Webapp和commonauth请求?在WSO2身份服务器中,authenticationendpoint服务于登录,并在身份验证期间同意页面。然后,使用commonauth请求将用户操作(例如凭据,OTP代码,联合登录流,同意批准)提交到服务器。因此,这些交互是在未验证用户身份之前通过浏览器进行的。
什么是CSRF? [2]
跨站点请求伪造(也称为CSRF)是一种网络安全允许攻击者诱使用户执行的漏洞他们不打算执行的动作。
因此,由于尚未对用户进行身份验证,因此身份验证流程中使用的端点和Web应用程序不容易受到CSRF攻击。
因此,将它们配置为从CSRF保护中跳过。您可以在IS_HOME / repository / conf / security / Owasp.CsrfGuard.Carbon.properties文件中检查这些端点]
# please remove the below entry to enable protection for services. org.owasp.csrfguard.unprotected.Services=%servletContext%/services/* org.owasp.csrfguard.unprotected.commonauth=%servletContext%/commonauth/* org.owasp.csrfguard.unprotected.samlsso=%servletContext%/samlsso/* org.owasp.csrfguard.unprotected.authenticationendpoint=%servletContext%/authenticationendpoint/* org.owasp.csrfguard.unprotected.wso2=%servletContext%/wso2/* org.owasp.csrfguard.unprotected.oauth2=%servletContext%/oauth2/* org.owasp.csrfguard.unprotected.oidc=%servletContext%/oidc/* org.owasp.csrfguard.unprotected.openid=%servletContext%/openid/* org.owasp.csrfguard.unprotected.openidserver=%servletContext%/openidserver/* org.owasp.csrfguard.unprotected.passivests=%servletContext%/passivests/* org.owasp.csrfguard.unprotected.acs=%servletContext%/acs/* org.owasp.csrfguard.unprotected.iwa=%servletContext%/iwa/* org.owasp.csrfguard.unprotected.oauthiwa=%servletContext%/commonauth/iwa/* org.owasp.csrfguard.unprotected.thrift=%servletContext%/thriftAuthenticator/* org.owasp.csrfguard.unprotected.mex=%servletContext%/mexut/* org.owasp.csrfguard.unprotected.identity=%servletContext%/identity/*您可以看到,这些是身份验证流程中使用的端点。