First part CSRF protection

dschadow · dschadow · commit f8c8af9054de · 2013-05-19T19:06:34.000+02:00
Signed-off-by: Dominik Schadow &lt;dominikschadow@googlemail.com&gt;
diff --git a/Ch08_CSRF/src/main/java/de/dominikschadow/webappsecurity/ProtectedServlet.java b/Ch08_CSRF/src/main/java/de/dominikschadow/webappsecurity/ProtectedServlet.java
@@ -0,0 +1,60 @@
+/*
+ * Copyright (C) 2013 Dominik Schadow, dominikschadow@gmail.com
+ *
+ * This file is part of JavaWebAppSecurity.
+ * 
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package de.dominikschadow.webappsecurity;
+
+import java.io.IOException;
+import java.io.PrintWriter;
+
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+/**
+ * @author Dominik Schadow
+ */
+public class ProtectedServlet extends HttpServlet {
+    private static final long serialVersionUID = 1L;
+
+    /**
+     * @see HttpServlet#HttpServlet()
+     */
+    public ProtectedServlet() {
+        super();
+    }
+
+    /**
+     * @see HttpServlet#doPost(HttpServletRequest request, HttpServletResponse response)
+     */
+    protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException,
+            IOException {
+        System.out.println("Processing POST request");
+        
+        String name = request.getParameter("name");
+        System.out.println("Received " + name + " as POST parameter");
+
+        response.setContentType("text/html");
+
+        PrintWriter out = response.getWriter();
+        out.println("<html><body>");
+        out.println("<p>Received " + name + " as POST parameter</p>");
+        out.println("</body></html>");
+        out.flush();
+        out.close();
+    }
+}
diff --git a/Ch08_CSRF/src/main/webapp/WEB-INF/web.xml b/Ch08_CSRF/src/main/webapp/WEB-INF/web.xml
@@ -2,7 +2,7 @@
 <web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" id="CSRF" version="3.0">
   <display-name>Cross-Site Request Forgery Sample Application</display-name>
   <servlet>
-    <description></description>
+    <description>Servlet to handle POST and GET requests without any protection</description>
     <display-name>CSRFServlet</display-name>
     <servlet-name>CSRFServlet</servlet-name>
     <servlet-class>de.dominikschadow.webappsecurity.CSRFServlet</servlet-class>
@@ -11,4 +11,15 @@
     <servlet-name>CSRFServlet</servlet-name>
     <url-pattern>/CSRFServlet</url-pattern>
   </servlet-mapping>
+  
+  <servlet>
+    <description>Servlet to handle POST requests with random user value protection</description>
+    <display-name>ProtectedServlet</display-name>
+    <servlet-name>ProtectedServlet</servlet-name>
+    <servlet-class>de.dominikschadow.webappsecurity.ProtectedServlet</servlet-class>
+  </servlet>
+  <servlet-mapping>
+    <servlet-name>ProtectedServlet</servlet-name>
+    <url-pattern>/ProtectedServlet</url-pattern>
+  </servlet-mapping>
 </web-app>
diff --git a/Ch08_CSRF/src/main/webapp/index.jsp b/Ch08_CSRF/src/main/webapp/index.jsp
@@ -8,19 +8,21 @@
 <body>
 	<h1>Cross-Site Request Forgery</h1>
 	
-	<h2>GET</h2>
+	<h2>Unprotected</h2>
 	
-	<h3>Normal browser link</h3>
+	<h3>GET</h3>
+	
+	<h4>Normal browser link</h4>
 	
 	<a href="CSRFServlet?name=BrowserLink">Send</a>
 	
-	<h3>Image</h3>
+	<h4>Image</h4>
 	
 	<a href="image.html">Image</a>
 	
-	<h2>POST</h2>
+	<h3>POST</h3>
 	
-	<h3>Normal browser form</h3>
+	<h4>Normal browser form</h4>
 
 	<form name="greeting" method="post" action="CSRFServlet">
 		<table>
@@ -32,8 +34,28 @@
 		</table>
 	</form>
 	
-	<h3>XMLHttpRequest</h3>
+	<h4>XMLHttpRequest</h4>
 	
 	<a href="xmlhttprequest.html">XMLHttpRequest</a>
+	
+	<h2>Protected</h2>
+	
+	<h3>POST</h3>
+	
+	<h4>Normal browser form</h4>
+
+	<form name="greetingProtected" method="post" action="ProtectedServlet">
+		<table>
+			<tr>
+				<td>Name</td>
+				<td><input type="text" name="name"></td>
+				<td><input type="submit" value="Senden"></td>
+			</tr>
+		</table>
+	</form>
+	
+	<h4>XMLHttpRequest</h4>
+	
+	<a href="xmlhttprequest-protected.html">XMLHttpRequest</a>
 </body>
 </html>
diff --git a/Ch08_CSRF/src/main/webapp/xmlhttprequest-protected.html b/Ch08_CSRF/src/main/webapp/xmlhttprequest-protected.html
@@ -0,0 +1,25 @@
+<html>
+<head>
+  <title>Cross-Site Request Forgery</title>
+  
+  <script type="text/javascript">
+    function sendForm() {
+      var params = "name=CSRF-XMLHttpRequest";
+
+      var request = new XMLHttpRequest();
+      request.open("POST", "http://localhost:8080/CSRF/ProtectedServlet", true);
+      request.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
+      request.send(params);
+
+      request.onreadystatechange = function() {
+        if (request.readyState == 4 && request.status == 200) {
+          alert("Response " + request.responseText);       
+        }
+      };
+    }
+  </script>
+</head>
+<body onload="sendForm()">
+  <h1>Form post with XMLHttpRequest</h1> 
+</body>
+</html>
