Welcome to our Secure Development Tips blog

Every other week, we provide expert tech tips on how to build and deploy secure applications.  These best practices, derived from Security Innovation’s assessments of the worlds’ most dominant software applications,  are taken directly from our TeamMentor product, which includes more than 3,500 guidance assets and articles on secure software design, coding and testing.    

Subscribe by Email

Your email:

Secure Development Tips

a blog with tips relating to secure application development, from Security Innovation's eknowledge database, TeamMentor

Current Articles | RSS Feed RSS Feed

How to Prevent Cross-Site Request Forgery (CSRF) in SpringMVC

  
  

Applies to

  • JAVA
  • SpringMVC

Summary

Perform CSRF prevention using SpringMVC within an application.

Objectives

CSRF prevention is a key security control for an application that protects the application and its users from CSRF attacks. This article will describe how to use the built-in mechanisms provided by SpringMVC to perform CSRF prevention.

Solution Example

There is a standard model for CSRF prevention using SpringMVC that involves 3 basic steps

  1. Build a base controller with CSRF generation and validation methods.

public class RootController {
...
    protected void init(ControllerContext ctx) {
 ...
        initializeCsfrToken(ctx);
    }

    private void initializeCsfrToken(ControllerContext ctx) {
       String csrfToken = ctx.getSessionAttribute(ControllerContext.CSRF_TOKEN, "");
       if(Utils.isEmpty(csrfToken)) {
           ctx.setSessionAttribute(ctx, ControllerContext.CSRF_TOKEN, generateCsrfToken(ctx));
       }
    }
   
    private String generateCsrfToken(ControllerContext ctx) {
 ... generate random string
    }
   
    protected boolean isValidCsrfToken(ControllerContext ctx) {
        String csrfParamToken = ctx.getParameter(ControllerContext.CSRF_TOKEN);
        String csrfSessionToken = ctx.getSessionAttribute(ControllerContext.CSRF_TOKEN, "");
        if(!Utils.isEmpty(csrfParamToken) && !Utils.isEmpty(csrfSessionToken) && csrfParamToken.equals(csrfSessionToken)) {
            return true;
        } else {
            //Log this as this can be a security threat
            Log.warn("Invalid security Token. Supplied token: " + csrfParamToken + ". Session token: " + csrfSessionToken + ". IP: " + ctx.request.getRemoteAddr());
            return false;
        }
    }

  1. Include CSRF token in form submitted via JSP.

<input type="hidden" name="ctoken" id="ctoken" value="${sessionScope.ctoken}"/>

  1. In Controller handling request, validate CSRF token. In the action class/method that handles the saving of your form (ex. SaveBookController), you need to perform the token validation.

...
ControllerContext ctx = new ControllerContext(request, response);
init(ctx);
if (!isValidCsrfToken(ctx)) {
    result.addError(new ObjectError("employee", getMessage("error.invalidCsrfToken")));
    return getModelAndView(ctx, "employee/list");
}
...

Using these 3 simple steps you can effectively have a session specific per user token used to validate that a request was submitted by a user intentionally.

Note: There have been effective attacks against various CSRF prevention techniques including this token-based approach when an application has XSS vulnerabilities. Removing XSS is therefore viewed as a prerequisite activity for a complete CSRF prevention mechanism.

In conclusion, CSRF prevention can function as a strong security control if used properly and applied thoroughly throughout the application. The SpringMVC framework provides a simple series of steps for accomplishing this task.

More Information

Comments

Post Comment
Name
 *
Email
 *
Website (optional)
Comment
 *

Allowed tags: <a> link, <b> bold, <i> italics