We are using the owasp csrf tool in our application. It is quite an old java8 / Tomcat application but this aspect has worked without a problem for a long time. We have 3 environments -
dev - local machine test
runs on remote servers as production
production
runs on remote servers
We recently changed the ip address of the test server and the OWASP protection no longer seems to trigger on this environment. I don't believe there is anything in the code base to cause this change as it still works on dev. I have checked and there is no hard coded reference to the old ip address in the code.
The token is still being injected into the form on test, and changes between initial set up and 2nd logon & submit.
The owasp_csrf.js file is still active as I put some alerts in there to check and they fire (I noticed on dev our warning message appears before the alerts so I don't think this is where the main part of the token checking is happening).
Everything seems to work as expected except the csrf check doesn't seem to fire.
So, my test is
log in and enter data into a data entry form
log out before submitting
log back in (different user, although this isn't necessary on production)
use back button to get to previous filled in form and submit
on test this allows submission (on dev and production it triggers csrf alert).
I don't think this has been tested on test for a while but but I know it as been in the past. I believe the only significant difference is the IP address change but I can't find anywhere in the code base or Tomcat configs where this looks relevant. (I've double checked the hosts files and rebooted in case any aspect of (linux) server setup had missed the ip change).
Apologies if this is a little vague but I wondered if anyone had any ideas about where the ip address may be relevant to the OWASP csrf set up ?
Related
Production Environment: Tomcat 9 on CentOS 7 x64, mysql/mariadb 5.5x
Testing Environment: Tomcat 9 in Eclipse on Windows 7 x64, mysql 5.5x
I'm a Tomcat newbie looking for the best method to have server-wide variables readable/writable from all Webapps for things like MaintenanceMode(on/off) and MaintenanceMessage, etc.
These are the variable properties I'm looking for:
Readable/writable from all instances of all java servlets on all webapps.
Value persists after OS, Tomcat, or Webapp restart.
I must be able to change the value of it from one webapp and then all other webapps recognize the change quickly, ideally without restarting.
Ideally I wouldn't want to read the variable from disk on each server request. In case server is getting DDOSed or something.
Ideally the solution is OS independent.
If it's a disk file solution please recommend a place for me to store the file.
I'm new to Tomcat so some detail in any answers would be appreciated or links to detail. I'll probably be using a servlet on it's own 'admin' webapp that's only accessible through SSH-tunneling, etc, to set the variables. Then the public webapps would respond to any changes, like showing a maintenance message while I backup databases. I could also possibly change the variables using linux commands if needed.
If I stored the server variables in a database that could be fine but I wouldn't want to read the DB on every single request most likely, and when I change a variable I'd have to once again notify every webapp/servlet that something was changed and to re-read the DB.
Thanks for any help.
I implemented this recently in the form of "system messages", some of which are for maintenance. But the effect is the same. We had some additional "requirements" which helped us form the solution. These may or may not match up to your expectations/desires:
Multiple-server coordination
Immediate synchronization was not necessary
We used our relational database for the actual data storage. A single table with "system messages" and a few other fields such as when the messages became effective (not_before DATETIME) and when the messages became ineffective (not_after DATETIME).
On startup, the application reads the system messages table to find the currently-valid messages and stores them in application scope, including their validity dates. Whenever we want to show them on the screen, we check each item in memory and evict any that have expired. This is pretty fast.
Every X minutes (e.g. from cron), we make a request to a special servlet (on each server) that re-loads the system messages from the database. We protect that servlet by only allowing requests from certain IPs, so DOS is not an issue.
Not only can we add a system message from any server in the cluster, but we can also add one by writing directly to the database. That may be advantageous if you don't always want to use your application to generate these events.
You can change the value for X to anything as low as 1 (minute) if you are using cron. If you use some other kind of system, you can probably get updated even more often. I would seriously reconsider your requirement of "immediate" recognition because that requires a system that has much worse performance.
If you can guarantee that only your application can generate these changes, and you have a list of all other servers in the cluster somewhere, you could theoretically ping them all with the new message (or notify them that a new message exists and it's time to update their message-list), but that kind of thing is better-done with an orchestration tool such as Kubernetes, and we are getting a little out of scope IMO.
I have a web server which is presenting some data from a Cloudera cluster. The data are stored on HBase and the cluster is secured with Kerberos. When I try to perform a get, the server hangs without logging any error.
So far I've tried:
Launching the webserver from command line after a kinit (the server is just for testing purpose, so log-in duration and complex procedures to start it are not an issue)
The runAs approach described in here, both with and without the configuration file import from this answer.
The CLASSPATH configuration approach described here
Global authentication with UserGroupInformation.loginUserFromKeytab (with and without all the configurations from point 2 and 3)
I've executed all the gets from hbase shell after kiniting with the web server's user and they work in reasonable time (less than a second, while the last time I left the connection open the server didn't respond in over an hour), so it's not a performance or authorization issue. Inside the same web server, with every configuration listed, I'm able to perform other actions, like connecting to HBase and getting the table instances.
I've also checked the logs from Kerberos, HBase and my web server and none of them presents any error. In fact, I'm pretty much afraid that the authorization works, but it just gets stuck in some loop during the get.
UPDATES: After more testing, I've verified that there is a user set right before the call to HBase's API. Also, I've checked and no calls are made to HBase. So this is not an authentication problem, but something else. Did anybody have the same problem?
I'm trying to get a server up and running on EC2 using Amazon Linux AMI 2017.09.0.2017. I've been able to set up a reverse proxy using Nginx at first and then just now Apache, and everything has been working fine except that something is causing a consistent 2-minute delay when I try to POST a multipart form. Everything goes through and works after 2 minutes, but it always takes 2 minutes for the server to do SOMETHING, what it is I don't know:
https://i.stack.imgur.com/YCpjV.png
I'm willing to be proven wrong, but I'm fairly certain that neither my nginx configuration nor my apache httpd configuration is at fault because I tested both of them individually and it happened under both of them, pointing to a problem with my Tomcat 8, SSL certificate, or possibly AWS configuration. I'm also confident that there isn't a problem with my javascript code that does the POST, because it works fine on an elastic beanstalk environment tomcat build.
This only seems to occur with multi-part form data POSTs, but that's not to say I know that nothing else is affected. I've tried monitoring TCP traffic and looking at error logs and nothing seems out of place, there's just a 2 minute delay that occurs before my java controller receives the form and I'm baffled.
Anyone have any idea what might be happening? Any ideas, vague or not, about leads or suggestions of things to do would be greatly appreciated.
We are in the process of creating a training mode for our ColdFusion (9) sites.
The system will allow our users, after logging in, to switch from production mode to training mode by clicking on a link.
When they switch, the data-sources will be switched allowing the data to be safely modified.
We are also going to implement a test SMTP server, using the SubEthaSMTP Java project, in order to capture the emails that are sent from the training mode and display them to the user in a web page.
We can launch the SMTP server as a stand alone process or service without much trouble.
The nicer solution would be to launch server as part of the ColdFuson runtime at the point that the user switches to training mode.
We would create a true Java thread that would persist on a Server level scope for the length of any training sessions and then some arbitrary time out period. If the server times out and a new training session is initiated we would initiate a new SMTP server.
My essential question is, therefore, is it a bad idea to run an ongoing thread in the ColdFusion runtime this way?
I can't see a problem with doing this, although you ought to test to see what resources SubEthaSMTP uses and make sure it's not going to cause you issues. It looks to have minimal dependencies (essentially just SLF4J, which ColdFusion 9 & 10 already provide)
From the example page it looks to be pretty easy to set up and drop into a long-running scope. I think you're right to pick the server scope, as you may have problems using application or anything more volatile, as there'll be a situation where application scope would timeout and be reset, but you'd loose all references to the Mail Server instance.
Please update the post with your findings, as I'd be interested in seeing what you find.
First, this is not the first time I ask a question related to this problem, but now that we have talked with the network admin guys and we know we absolutely HAVE to get through that proxy, I will ask again the question but with further details.
So here is the deal. We have an application built for Lotus Notes. That application needs to talk with a web service that is located outside the network of our client, but nothing can get out of the network without going through a proxy server. Since the Agent is running on the server, we need to tell the server to go through the proxy first. That can be achieved in Java using the System's properties (http.proxyHost, etc). That being said, I set all the properties related to the proxy settings in my Java Agent, and then I try getting the XML file from the web service. What I get is a connection time out exception. So, I was wondering why? We did a network analysis with WireShark, and the application is not trying to go through the proxy. Here is what it STRANGELY does.
I built the application and set the proxy host to a dummy address, just for the time I get the real proxy address and my credentials. Let's say proxy.mydomain.com
I get my credentials, so I change the proxy config with the real ones, say webproxy.ca.mydomain.net
Nothing works, so we restart the Domino server and do a clearcache, thinking it might be related to this
We did a network analysis with WireShark and the application queries the DNS for this:
proxy.mydomain.com
proxy.mydomain.com.ca.mydomain.com
proxy.mydomain.com.eu.mydomain.com
proxy.mydomain.com.anotherknowdomain.com
And that goes for a while. BUT, I can see it's still using the dummy address. Where does it get it. It's not in notes.ini, it's not in the server's cache, it's not in my source code, it's not in java.properties, it not in the JVM (since we restarted the machine). Any idea? We're at the end of a project and we need this to work to deliver it and preassure is building!!! I searched the WHOLE WEB!!!
One more thing I would say, when I set my properties in java code, I tryied to print them before to see if it was ok and everything is fine...
For your information, even though it was a web proxy going through HTTP, the JVM setting sockProxyHost was set and preceds on the other. That was our problem...