python2014
diff --git a/‎Ch08_CSRF/pom.xml‎
Lines changed: 4 additions & 0 deletions b/‎Ch08_CSRF/pom.xml‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎…kschadow/webappsecurity/CSRFServlet.java‎ ‎…webappsecurity/servlets/CSRFServlet.java‎Ch08_CSRF/src/main/java/de/dominikschadow/webappsecurity/CSRFServlet.java renamed to Ch08_CSRF/src/main/java/de/dominikschadow/webappsecurity/servlets/CSRFServlet.java
Lines changed: 34 additions & 20 deletions b/‎…kschadow/webappsecurity/CSRFServlet.java‎ ‎…webappsecurity/servlets/CSRFServlet.java‎Ch08_CSRF/src/main/java/de/dominikschadow/webappsecurity/CSRFServlet.java renamed to Ch08_CSRF/src/main/java/de/dominikschadow/webappsecurity/servlets/CSRFServlet.java
Lines changed: 34 additions & 20 deletions
diff --git a/‎…dow/webappsecurity/ProtectedServlet.java‎ ‎…psecurity/servlets/ProtectedServlet.java‎Ch08_CSRF/src/main/java/de/dominikschadow/webappsecurity/ProtectedServlet.java renamed to Ch08_CSRF/src/main/java/de/dominikschadow/webappsecurity/servlets/ProtectedServlet.java
Lines changed: 46 additions & 27 deletions b/‎…dow/webappsecurity/ProtectedServlet.java‎ ‎…psecurity/servlets/ProtectedServlet.java‎Ch08_CSRF/src/main/java/de/dominikschadow/webappsecurity/ProtectedServlet.java renamed to Ch08_CSRF/src/main/java/de/dominikschadow/webappsecurity/servlets/ProtectedServlet.java
Lines changed: 46 additions & 27 deletions
diff --git a/‎…ebappsecurity/csrf/CSRFTokenHandler.java‎ ‎…bappsecurity/token/CSRFTokenHandler.java‎Ch08_CSRF/src/main/java/de/dominikschadow/webappsecurity/csrf/CSRFTokenHandler.java renamed to Ch08_CSRF/src/main/java/de/dominikschadow/webappsecurity/token/CSRFTokenHandler.java
Lines changed: 8 additions & 6 deletions b/‎…ebappsecurity/csrf/CSRFTokenHandler.java‎ ‎…bappsecurity/token/CSRFTokenHandler.java‎Ch08_CSRF/src/main/java/de/dominikschadow/webappsecurity/csrf/CSRFTokenHandler.java renamed to Ch08_CSRF/src/main/java/de/dominikschadow/webappsecurity/token/CSRFTokenHandler.java
Lines changed: 8 additions & 6 deletions
diff --git a/‎Ch08_CSRF/src/main/resources/log4j.xml‎
Lines changed: 15 additions & 0 deletions b/‎Ch08_CSRF/src/main/resources/log4j.xml‎
Lines changed: 15 additions & 0 deletions
diff --git a/‎Ch08_CSRF/src/main/webapp/image-protected.html‎
Lines changed: 11 additions & 6 deletions b/‎Ch08_CSRF/src/main/webapp/image-protected.html‎
Lines changed: 11 additions & 6 deletions
diff --git a/‎Ch08_CSRF/src/main/webapp/image.html‎
Lines changed: 9 additions & 4 deletions b/‎Ch08_CSRF/src/main/webapp/image.html‎
Lines changed: 9 additions & 4 deletions
@@ -22,6 +22,10 @@ Open the web application in your browser at http://localhost:8080/Ch08_CSRF</des
 			<groupId>org.owasp.esapi</groupId>
 			<artifactId>esapi</artifactId>
 		</dependency>
+        <dependency>
+            <groupId>log4j</groupId>
+            <artifactId>log4j</artifactId>
+        </dependency>
 	</dependencies>
 
 	<build>
 
@@ -16,64 +16,78 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-package de.dominikschadow.webappsecurity;
+package de.dominikschadow.webappsecurity.servlets;
 
-import java.io.IOException;
-import java.io.PrintWriter;
+import org.apache.log4j.Logger;
 
 import javax.servlet.ServletException;
 import javax.servlet.annotation.WebServlet;
 import javax.servlet.http.HttpServlet;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+import java.io.PrintWriter;
 
 /**
+ * Basic unprotected servlet for GET and POST requests. Prints out all information to standard out
+ * and returns the received parameter as response.
+ *
  * @author Dominik Schadow
  */
 @WebServlet(name = "CSRFServlet", urlPatterns = {"/CSRFServlet"})
 public class CSRFServlet extends HttpServlet {
     private static final long serialVersionUID = 1L;
-
-    /**
-     * @see HttpServlet#HttpServlet()
-     */
-    public CSRFServlet() {
-        super();
-    }
+    private static final Logger LOGGER = Logger.getLogger(CSRFServlet.class);
 
     /**
      * @see HttpServlet#doGet(HttpServletRequest request, HttpServletResponse response)
      */
     protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException {
-        System.out.println("Processing unprotected GET request");
-
         String name = request.getParameter("name");
-        System.out.println("Unprotected: Received " + name + " as GET parameter");
+        LOGGER.info("Processing unprotected GET request: Received " + name + " as parameter");
 
         response.setContentType("text/html");
 
         try (PrintWriter out = response.getWriter()) {
-            out.println("Received " + name + " as GET parameter");
+            out.println("<html>");
+            out.println("<head>");
+            out.println("<title>Ch08_CSRF</title>");
+            out.println("<link rel=\"stylesheet\" type=\"text/css\" href=\"styles.css\" />");
+            out.println("</head>");
+            out.println("<body>");
+            out.println("<h1>Ch08_CSRF</h1>");
+            out.println("<p>Received <b>" + name + "</b> as GET parameter.</p>");
+            out.println("<p><a href=\"requests-unprotected.jsp\">Back</a></p>");
+            out.println("</body>");
+            out.println("</html>");
         } catch (IOException ex) {
-            ex.printStackTrace();
+            LOGGER.error(ex.getMessage(), ex);
         }
     }
 
     /**
      * @see HttpServlet#doPost(HttpServletRequest request, HttpServletResponse response)
      */
     protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException {
-        System.out.println("Processing unprotected POST request");
-
         String name = request.getParameter("name");
-        System.out.println("Unprotected: Received " + name + " as POST parameter");
+        LOGGER.info("Processing unprotected POST request: Received " + name + " as parameter");
 
         response.setContentType("text/html");
 
         try (PrintWriter out = response.getWriter()) {
-            out.println("Received " + name + " as POST parameter");
+            out.println("<html>");
+            out.println("<head>");
+            out.println("<title>Ch08_CSRF</title>");
+            out.println("<link rel=\"stylesheet\" type=\"text/css\" href=\"styles.css\" />");
+            out.println("</head>");
+            out.println("<body>");
+            out.println("<h1>Ch08_CSRF</h1>");
+            out.println("<p>Received <b>" + name + "</b> as POST parameter.</p>");
+            out.println("<p><a href=\"requests-unprotected.jsp\">Back</a></p>");
+            out.println("</body>");
+            out.println("</html>");
         } catch (IOException ex) {
-            ex.printStackTrace();
+            LOGGER.error(ex.getMessage(), ex);
         }
     }
 }
@@ -16,7 +16,7 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-package de.dominikschadow.webappsecurity;
+package de.dominikschadow.webappsecurity.servlets;
 
 import java.io.IOException;
 import java.io.PrintWriter;
@@ -29,93 +29,112 @@
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
-import de.dominikschadow.webappsecurity.csrf.CSRFTokenHandler;
+import de.dominikschadow.webappsecurity.token.CSRFTokenHandler;
+import org.apache.log4j.Logger;
 
 /**
+ * Basic protected servlet for GET and POST requests. Checks the CSRF-Token value to identify
+ * CSRF attacks. Prints out all information to standard out and returns the received parameter
+ * as response.
+ *
  * @author Dominik Schadow
  */
 @WebServlet(name = "ProtectedServlet", urlPatterns = {"/ProtectedServlet"})
 public class ProtectedServlet extends HttpServlet {
     private static final long serialVersionUID = 1L;
+    private static final Logger LOGGER = Logger.getLogger(ProtectedServlet.class);
 
-    /**
-     * @see HttpServlet#HttpServlet()
-     */
-    public ProtectedServlet() {
-        super();
-    }
-    
     /**
      * @see HttpServlet#doGet(HttpServletRequest request, HttpServletResponse response)
      */
     protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException {
-        System.out.println("Processing protected GET request");
+        LOGGER.info("Processing protected GET request");
 
         response.setContentType("text/html");
 
         try {
             if (!CSRFTokenHandler.isValid(request)) {
-                System.out.println("CSRF token is invalid");
+                LOGGER.warn("CSRF token is invalid");
                 response.setStatus(401);
 
                 try (PrintWriter out = response.getWriter()) {
                     out.println("CSRF token is invalid");
                 } catch (IOException ex) {
-                    ex.printStackTrace();
+                    LOGGER.error(ex.getMessage(), ex);
                 }
 
                 return;
             }
         } catch (NoSuchAlgorithmException | NoSuchProviderException ex) {
-            ex.printStackTrace();
+            LOGGER.error(ex.getMessage(), ex);
         }
-        
-        System.out.println("CSRF token is valid");
+
+        LOGGER.info("CSRF token is valid");
 
         String name = request.getParameter("name");
-        System.out.println("Protected: Received " + name + " as GET parameter");
+        LOGGER.info("Received " + name + " as GET parameter");
 
         try (PrintWriter out = response.getWriter()) {
-            out.println("Received " + name + " as GET parameter");
+            out.println("<html>");
+            out.println("<head>");
+            out.println("<title>Ch08_CSRF</title>");
+            out.println("<link rel=\"stylesheet\" type=\"text/css\" href=\"styles.css\" />");
+            out.println("</head>");
+            out.println("<body>");
+            out.println("<h1>Ch08_CSRF</h1>");
+            out.println("<p>Received <b>" + name + "</b> as GET parameter.</p>");
+            out.println("<p><a href=\"requests-protected.jsp\">Back</a></p>");
+            out.println("</body>");
+            out.println("</html>");
         } catch (IOException ex) {
-            ex.printStackTrace();
+            LOGGER.error(ex.getMessage(), ex);
         }
     }
 
     /**
      * @see HttpServlet#doPost(HttpServletRequest request, HttpServletResponse response)
      */
     protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException {
-        System.out.println("Processing protected POST request");
+        LOGGER.info("Processing protected POST request");
 
         response.setContentType("text/html");
 
         try {
             if (!CSRFTokenHandler.isValid(request)) {
-                System.out.println("CSRF token is invalid");
+                LOGGER.warn("CSRF token is invalid");
                 response.setStatus(401);
 
                 try (PrintWriter out = response.getWriter()) {
                     out.println("CSRF token is invalid");
                 } catch (IOException ex) {
-                    ex.printStackTrace();
+                    LOGGER.error(ex.getMessage(), ex);
                 }
 
                 return;
             }
         } catch (NoSuchAlgorithmException | NoSuchProviderException ex) {
-            ex.printStackTrace();
+            LOGGER.error(ex.getMessage(), ex);
         }
-        
-        System.out.println("CSRF token is valid");
+
+        LOGGER.info("CSRF token is valid");
 
         String name = request.getParameter("name");
-        System.out.println("Protected: Received " + name + " as POST parameter");
+        LOGGER.info("Received " + name + " as POST parameter");
 
         try (PrintWriter out = response.getWriter()) {
-            out.println("Received " + name + " as POST parameter");
+            out.println("<html>");
+            out.println("<head>");
+            out.println("<title>Ch08_CSRF</title>");
+            out.println("<link rel=\"stylesheet\" type=\"text/css\" href=\"styles.css\" />");
+            out.println("</head>");
+            out.println("<body>");
+            out.println("<h1>Ch08_CSRF</h1>");
+            out.println("<p>Received <b>" + name + "</b> as POST parameter.</p>");
+            out.println("<p><a href=\"requests-protected.jsp\">Back</a></p>");
+            out.println("</body>");
+            out.println("</html>");
         } catch (IOException ex) {
-            ex.printStackTrace();
+            LOGGER.error(ex.getMessage(), ex);
         }
     }
 }
@@ -16,19 +16,21 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-package de.dominikschadow.webappsecurity.csrf;
+package de.dominikschadow.webappsecurity.token;
 
-import java.security.NoSuchAlgorithmException;
-import java.security.NoSuchProviderException;
-import java.security.SecureRandom;
+import org.apache.commons.lang.StringUtils;
 
 import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpSession;
-
-import org.apache.commons.lang.StringUtils;
+import java.security.NoSuchAlgorithmException;
+import java.security.NoSuchProviderException;
+import java.security.SecureRandom;
 
 /**
+ * Calculates a new token and adds it to the session. Compares the session toke value with the
+ * token value included in the request.
+ *
  * @author Dominik Schadow
  */
 public final class CSRFTokenHandler {
 
@@ -0,0 +1,15 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<!DOCTYPE log4j:configuration SYSTEM "log4j.dtd">
+<log4j:configuration xmlns:log4j="http://jakarta.apache.org/log4j/">
+    <appender name="console" class="org.apache.log4j.ConsoleAppender">
+        <param name="Target" value="System.out"/>
+        <layout class="org.apache.log4j.PatternLayout">
+            <param name="ConversionPattern" value="%-5p %c{1} - %m%n"/>
+        </layout>
+    </appender>
+
+    <root>
+        <priority value="info"/>
+        <appender-ref ref="console"/>
+    </root>
+</log4j:configuration>
@@ -1,12 +1,17 @@
 <html>
 <head>
-  <title>Cross-Site Request Forgery</title>
+    <title>Ch08_CSRF</title>
+    <link rel="stylesheet" type="text/css" href="styles.css" />
 </head>
 <body>
-  <h1>GET with an image</h1>
-  
-  &lt;img src=&quot;ProtectedServlet?name=CSRF-Image&quot; width=&quot;0&quot; height=&quot;0&quot; /&gt;
-  
-  <img src="ProtectedServlet?name=CSRF-Image" width="0" height="0" />
+    <h1>Ch08_CSRF</h1>
+
+    <h2>GET request executed with a hidden image</h2>
+
+    <p>&lt;img src=&quot;ProtectedServlet?name=HiddenImage&quot; width=&quot;0&quot; height=&quot;0&quot; /&gt;</p>
+
+    <img src="ProtectedServlet?name=HiddenImage" width="0" height="0" />
+
+    <p><a href="requests-protected.jsp">Back</a></p>
 </body>
 </html>
@@ -1,12 +1,17 @@
 <html>
 <head>
-  <title>Cross-Site Request Forgery</title>
+    <title>Ch08_CSRF</title>
+    <link rel="stylesheet" type="text/css" href="styles.css" />
 </head>
 <body>
-  <h1>GET with an image</h1>
+    <h1>Ch08_CSRF</h1>
+
+    <h2>GET request executed with a hidden image</h2>
 
-  &lt;img src=&quot;CSRFServlet?name=CSRF-Image&quot; width=&quot;0&quot; height=&quot;0&quot; /&gt;
+    <p>&lt;img src=&quot;CSRFServlet?name=HiddenImage&quot; width=&quot;0&quot; height=&quot;0&quot; /&gt;</p>
 
-  <img src="CSRFServlet?name=CSRF-Image" width="0" height="0"  />
+    <img src="CSRFServlet?name=HiddenImage" width="0" height="0" />
+
+    <p><a href="requests-unprotected.jsp">Back</a></p>
 </body>
 </html>