Пример #1
0
  @Override
  public String toString() {
    StringBuilder sb = new StringBuilder();

    sb.append("\r\n*****************************************************\r\n");
    sb.append("* Owasp.CsrfGuard Properties\r\n");
    sb.append("*\r\n");
    sb.append(String.format("* Logger: %s\r\n", getLogger().getClass().getName()));
    sb.append(String.format("* NewTokenLandingPage: %s\r\n", getNewTokenLandingPage()));
    sb.append(String.format("* PRNG: %s\r\n", getPrng().getAlgorithm()));
    sb.append(String.format("* SessionKey: %s\r\n", getSessionKey()));
    sb.append(String.format("* TokenLength: %s\r\n", getTokenLength()));
    sb.append(String.format("* TokenName: %s\r\n", getTokenName()));
    sb.append(String.format("* Ajax: %s\r\n", isAjaxEnabled()));
    sb.append(String.format("* Rotate: %s\r\n", isRotateEnabled()));
    sb.append(String.format("* TokenPerPage: %s\r\n", isTokenPerPageEnabled()));

    for (IAction action : actions) {
      sb.append(String.format("* Action: %s\r\n", action.getClass().getName()));

      for (String name : action.getParameterMap().keySet()) {
        String value = action.getParameter(name);

        sb.append(String.format("*\tParameter: %s = %s\r\n", name, value));
      }
    }
    sb.append("*****************************************************\r\n");

    return sb.toString();
  }
Пример #2
0
  public void writeLandingPage(HttpServletRequest request, HttpServletResponse response)
      throws IOException {
    String landingPage = getNewTokenLandingPage();

    /** default to current page * */
    if (landingPage == null) {
      StringBuilder sb = new StringBuilder();

      sb.append(request.getContextPath());
      sb.append(request.getServletPath());

      landingPage = sb.toString();
    }

    /** create auto posting form * */
    StringBuilder sb = new StringBuilder();

    sb.append("<html>\r\n");
    sb.append("<head>\r\n");
    sb.append("<title>OWASP CSRFGuard Project - New Token Landing Page</title>\r\n");
    sb.append("</head>\r\n");
    sb.append("<body>\r\n");
    sb.append("<script type=\"text/javascript\">\r\n");
    sb.append("var form = document.createElement(\"form\");\r\n");
    sb.append("form.setAttribute(\"method\", \"post\");\r\n");
    sb.append("form.setAttribute(\"action\", \"");
    sb.append(landingPage);
    sb.append("\");\r\n");

    /** only include token if needed * */
    if (isProtectedPage(landingPage)) {
      sb.append("var hiddenField = document.createElement(\"input\");\r\n");
      sb.append("hiddenField.setAttribute(\"type\", \"hidden\");\r\n");
      sb.append("hiddenField.setAttribute(\"name\", \"");
      sb.append(getTokenName());
      sb.append("\");\r\n");
      sb.append("hiddenField.setAttribute(\"value\", \"");
      sb.append(getTokenValue(request, landingPage));
      sb.append("\");\r\n");
      sb.append("form.appendChild(hiddenField);\r\n");
    }

    sb.append("document.body.appendChild(form);\r\n");
    sb.append("form.submit();\r\n");
    sb.append("</script>\r\n");
    sb.append("</body>\r\n");
    sb.append("</html>\r\n");

    String code = sb.toString();

    /** setup headers * */
    response.setContentType("text/html");
    response.setContentLength(code.length());

    /** write auto posting form * */
    OutputStream output = null;
    PrintWriter writer = null;

    try {
      output = response.getOutputStream();
      writer = new PrintWriter(output);

      writer.write(code);
      writer.flush();
    } finally {
      Writers.close(writer);
      Streams.close(output);
    }
  }