堆栈内存溢出
  简体   繁体   English

CSRFGuard Javascript注入不起作用

[英]CSRFGuard Javascript Injection doesn't work

 原文  2016-07-13 12:45:42       javascript/ csrf/ code-injection

问题描述

What am I doing wrong? 我究竟做错了什么? I can't get the javascript injection to work. 我无法使JavaScript注入正常工作。 Here is what I put in my web.xml: 这是我放入web.xml中的内容: 

<listener>
    <listener-class>org.owasp.csrfguard.CsrfGuardServletContextListener</listener-class>
</listener>
<listener>
    <listener-class>org.owasp.csrfguard.CsrfGuardHttpSessionListener</listener-class>
</listener>
    <context-param>
        <param-name>Owasp.CsrfGuard.Config</param-name>
        <param-value>WEB-INF/csrfguard.properties</param-value>
    </context-param>
    <context-param>
        <param-name>Owasp.CsrfGuard.Config.Print</param-name>
        <param-value>true</param-value>
    </context-param>
    <filter>
        <filter-name>CSRFGuard</filter-name>
        <filter-class>org.owasp.csrfguard.CsrfGuardFilter</filter-class>
    </filter>
<filter-mapping>
    <filter-name>CSRFGuard</filter-name> 
    <url-pattern>/*</url-pattern>
</filter-mapping>
<servlet>
    <servlet-name>JavaScriptServlet</servlet-name>
    <servlet-class>org.owasp.csrfguard.servlet.JavaScriptServlet</servlet-class>
</servlet>
<servlet-mapping>
    <servlet-name>JavaScriptServlet</servlet-name>
    <url-pattern>/JavaScriptServlet</url-pattern>
</servlet-mapping>

In my jsp files, I add this line: 在我的jsp文件中,添加以下行: 

<script src="/JavaScriptServlet"></script>

But when I submit, the token doesn't get added to the request. 但是当我提交时,令牌不会添加到请求中。 I stepped through the code, and this line in CsrfGuard.verifySessionToken(request) returns null: 我单步执行代码,然后CsrfGuard.verifySessionToken(request)中的这一行返回null: 

String tokenFromRequest = request.getParameter(getTokenName());

The only thing I can do so far is to add the token by using the CSRF custom tag and adding a hidden field to the form ala: 到目前为止,我唯一能做的就是通过使用CSRF自定义标记并向表单ala添加一个隐藏字段来添加令牌: 

<input type="hidden" name="<csrf:tokenname/>" value="<csrf:tokenvalue/>"/>

2 个解决方案

解决方案1
 0  2016-07-14 19:33:54

It looks like I had to figure out what my servlet context root was first. 看来我必须弄清楚我的servlet上下文根是什么。 Then I fixed it by changing 然后我通过改变来固定 

<script src="/JavaScriptServlet"></script>

to 

<script src="/[servletcontextroot]/JavaScriptServlet"></script>

解决方案2
 0  2017-01-26 23:17:26

就我而言,在设置基本路径后添加脚本标签时,它工作正常。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 JavaScript中的依赖注入不起作用 - Dependency injection in JavaScript doesn't work 注入在Typescript中不起作用 - Injection doesn't work in Typescript 带有模板文字的SVG注入在浏览器中不起作用 - SVG injection with template literals doesn't work in browser Webpack 和 HtmlWebpackPlugin:将块注入自定义模板不起作用 - Webpack & HtmlWebpackPlugin: Injection of chunks into custom template doesn't work Function jQuery ajax html 注入后不起作用 - Function doesn't work after jQuery ajax html injection Javascript .format()不起作用 - Javascript .format() doesn't work 嵌入式JavaScript不起作用? - Embedded JavaScript doesn't work? JavaScript循环无效 - JavaScript loop doesn't work JavaScript验证无效 - Javascript Validation doesn't work 换行符在javascript中不起作用 - newline doesn't work in javascript
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM