스프링 시큐리티를 사용하는 것이 아니기 때문에  CSRF 보안을 적용하기 위해 owasp 의 라이브러리를 적용하기 로 하자.

 

OWASP - CSRFGuard 3.0

 

OWASP 의 메이 화면 링크 페이지 이다.

https://www.owasp.org/index.php/Main_Page

 

아래 주소는 OWASP 의 토큰 설정 web.xml 의 JavaScriptServlet 선언 및 구성 에대한 페이지이다.

https://www.owasp.org/index.php/CSRFGuard_3_Token_Injection

 

다음 주소는  OWASP 의 깃 허브 소스 주소이다.

https://github.com/esheri3/OWASP-CSRFGuard

 

다음주소는 Download csrfguard-3.0.0-sources.jar  의 다운로드 주소이다.

http://www.java2s.com/Code/Jar/c/Downloadcsrfguard300sourcesjar.htm

다운로드

 

메이븐 리파지토리에서도 다운 또는 pom.xml 에 설정할 수 있다.

http://mvnrepository.com/artifact/org.owasp/csrfguard/3.0.0

 

 

1. maven 또는 스프링이 아닌경우 다운로드

maven 경우  pom.xml 에 다음과 같이 설정하여 라이브러리파일을 등록하자.

<dependency>
    <groupId>org.owasp</groupId>
    <artifactId>csrfguard</artifactId>
    <version>3.0.0</version>
</dependency>

 

 

2. WEB-INF/classes 폴더 아래  jsp 폴더가 없으면 생성후 

다음 csrfguard.js 파일과 Owasp.CsrfGuard.properties 파일을 복하해서 등록하자.

csrfguard.js 파일은 https://github.com/esheri3/OWASP-CSRFGuard 깃허브  주소에 있다.

https://github.com/esheri3/OWASP-CSRFGuard/blob/master/csrfguard-test/src/main/webapp/script/csrfguard.js

 

Owasp.CsrfGuard.properties 도 깃 허브에 존재하나  나는 다음과 같은 설정으로 간략하게 변경하였다.

설정 방법은 원본 소스에 상세히 나와 있다. 또한 나의 깃허브에도 파일이 포함되 어있다.

설정에 따라 안 될 수 있으니 유의하자.

Owasp.CsrfGuard.properties

# The OWASP CSRFGuard Project, BSD License
# Eric Sheridan (eric@infraredsecurity.com), Copyright (c) 2011 
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are met:
#
# 1. Redistributions of source code must retain the above copyright notice,
#    this list of conditions and the following disclaimer.
# 2. Redistributions in binary form must reproduce the above copyright
#    notice, this list of conditions and the following disclaimer in the
#    documentation and/or other materials provided with the distribution.
# 3. Neither the name of OWASP nor the names of its contributors may be used
#    to endorse or promote products derived from this software without specific
#    prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
# (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
# ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

# Logger
#
# The logger property (org.owasp.csrfguard.Logger) defines the qualified class name of 
# the object responsible for processing all log messages produced by CSRFGuard. The default
# CSRFGuard logger is org.owasp.csrfguard.log.ConsoleLogger. This class logs all messages
# to System.out which JavaEE application servers redirect to a vendor specific log file.
# Developers can customize the logging behavior of CSRFGuard by implementing the
# org.owasp.csrfguard.log.ILogger interface and setting the logger property to the new
# logger's qualified class name. The following configuration snippet instructs OWASP CSRFGuard
# to capture all log messages to the console:
#
# org.owasp.csrfguard.Logger=org.owasp.csrfguard.log.ConsoleLogger
org.owasp.csrfguard.Logger=org.owasp.csrfguard.log.JavaLogger

# New Token Landing Page
#
# The new token landing page property (org.owasp.csrfguard.NewTokenLandingPage) defines where
# to send a user if the token is being generated for the first time, and the use new token landing
# page boolean property (org.owasp.csrfguard.UseNewTokenLandingPage) determines if any redirect happens.
# UseNewTokenLandingPage defaults to false if NewTokenLandingPage is not specified, and to true
# if it is specified.. If UseNewTokenLandingPage is set true then this request is generated
# using auto-posting forms and will only contain the CSRF prevention token parameter, if
# applicable. All query-string or form parameters sent with the original request will be
# discarded. If this property is not defined, CSRFGuard will instead auto-post the user to the
# original context and servlet path. The following configuration snippet instructs OWASP CSRFGuard to
# redirect the user to /index.html when the user visits a protected resource
# without having a corresponding CSRF token present in the HttpSession object:
#
# org.owasp.csrfguard.NewTokenLandingPage=/index.html

# Protected Methods
#
# The protected methods property (org.owasp.csrfguard.ProtectedMethods) defines a comma
# separated list of HTTP request methods that should be protected by CSRFGuard. The default
# list is an empty list which will cause all HTTP methods to be protected, thus preserving
# legacy behavior. This setting allows the user to inform CSRFGuard that only requests of the
# given types should be considered for protection. All HTTP mehtods not in the list will be
# considered safe (i.e. view only / unable to modify data). This should be used only when the
# user has concrete knowledge that all requests made via methods not in the list
# are safe (i.e. do not apply an action to any data) since it can actually introduce new
# security vulnerabilities. For example: the user thinks that all actionable requests are
# only available by POST requests when in fact some are available via GET requests. If the
# user has excluded GET requests from the list then they have introduced a vulnerability.
# The following configuration snippet instructs OWASP CSRFGuard to protect only the POST,
# PUT, and DELETE HTTP methods.
#
# org.owasp.csrfguard.ProtectedMethods=POST,PUT,DELETE

# Unique Per-Page Tokens
#
# The unique token per-page property (org.owasp.csrfguard.TokenPerPage) is a boolean value that
# determines if CSRFGuard should make use of unique per-page (i.e. URI) prevention tokens as
# opposed to unique per-session prevention tokens. When a user requests a protected resource,
# CSRFGuard will determine if a page specific token has been previously generated. If a page
# specific token has not yet been previously generated, CSRFGuard will verify the request was
# submitted with the per-session token intact. After verifying the presence of the per-session token,
# CSRFGuard will create a page specific token that is required for all subsequent requests to the
# associated resource. The per-session CSRF token can only be used when requesting a resource for
# the first time. All subsequent requests must have the per-page token intact or the request will
# be treated as a CSRF attack. This behavior can be changed with the org.owasp.csrfguard.TokenPerPagePrecreate
# property. Enabling this property will make CSRFGuard calculate the per page token prior to a first
# visit. This option only works with JSTL token injection and is useful for preserving the validity of
# links if the user pushes the back button. There may be a performance impact when enabling this option
# if the .jsp has a large number of proctected links that need tokens to be calculated.
# Use of the unique token per page property is currently experimental
# but provides a significant amount of improved security. Consider the exposure of a CSRF token using
# the legacy unique per-session model. Exposure of this token facilitates the attacker's ability to
# carry out a CSRF attack against the victim's active session for any resource exposed by the web
# application. Now consider the exposure of a CSRF token using the experimental unique token per-page
# model. Exposure of this token would only allow the attacker to carry out a CSRF attack against the
# victim's active session for a small subset of resources exposed by the web application. Use of the
# unique token per-page property is a strong defense in depth strategy significantly reducing the
# impact of exposed CSRF prevention tokens. The following configuration snippet instructs OWASP
# CSRFGuard to utilize the unique token per-page model:
#
# org.owasp.csrfguard.TokenPerPage=true
# org.owasp.csrfguard.TokenPerPagePrecreate=false
org.owasp.csrfguard.TokenPerPage=true
org.owasp.csrfguard.TokenPerPagePrecreate=false

# Token Rotation
#
# The rotate token property (org.owasp.csrfguard.Rotate) is a boolean value that determines if
# CSRFGuard should generate and utilize a new token after verifying the previous token. Rotation
# helps minimize the window of opportunity an attacker has to leverage the victim's stolen token
# in a targeted CSRF attack. However, this functionality generally causes navigation problems in
# most applications. Specifically, the 'Back' button in the browser will often cease to function
# properly. When a user hits the 'Back' button and interacts with the HTML, the browser may submit
# an old token causing CSRFGuard to incorrectly believe this request is a CSRF attack in progress
# (i.e. a 'false positive'). Users can prevent this scenario by preventing the caching of HTML pages
# containing FORM submissions using the cache-control header. However, this may also introduce
# performance problems as the browser will have to request HTML on a more frequent basis. The following
# configuration snippet enables token rotation:
#
# org.owasp.csrfguard.Rotate=true

# Ajax and XMLHttpRequest Support
#
# The Ajax property (org.owasp.csrfguard.Ajax) is a boolean value that indicates whether or not OWASP
# CSRFGuard should support the injection and verification of unique per-session prevention tokens for
# XMLHttpRequests. To leverage Ajax support, the user must not only set this property to true but must
# also reference the JavaScript DOM Manipulation code using a script element. This dynamic script will
# override the send method of the XMLHttpRequest object to ensure the submission of an X-Requested-With
# header name value pair coupled with the submission of a custom header name value pair for each request.
# The name of the custom header is the value of the token name property and the value of the header is
# always the unique per-session token value. This custom header is analogous to the HTTP parameter name
# value pairs submitted via traditional GET and POST requests. If the X-Requested-With header was sent
# in the HTTP request, then CSRFGuard will look for the presence and ensure the validity of the unique
# per-session token in the custom header name value pair. Note that verification of these headers takes
# precedence over verification of the CSRF token supplied as an HTTP parameter. More specifically,
# CSRFGuard does not verify the presence of the CSRF token if the Ajax support property is enabled and
# the corresponding X-Requested-With and custom headers are embedded within the request. The following
# configuration snippet instructs OWASP CSRFGuard to support Ajax requests by verifying the presence and
# correctness of the X-Requested-With and custom headers:
#
# org.owasp.csrfguard.Ajax=true
org.owasp.csrfguard.Ajax=true

# The default behavior of CSRFGuard is to protect all pages. Pages marked as unprotected will not be protected.
# If the Protect property is enabled, this behavior is reversed. Pages must be marked as protected to be protected.
# All other pages will not be protected. This is useful when the CsrfGuardFilter is aggressively mapped (ex: /*),
# but you only want to protect a few pages.
#
# org.owasp.csrfguard.Protect=true

# Unprotected Pages:
#
# The unprotected pages property (org.owasp.csrfguard.unprotected.*) defines a series of pages that
# should not be protected by CSRFGuard. Such configurations are useful when the CsrfGuardFilter is
# aggressively mapped (ex: /*). The syntax of the property name is org.owasp.csrfguard.unprotected.[PageName],
# where PageName is some arbitrary identifier that can be used to reference a resource. The syntax of
# defining the uri of unprotected pages is the same as the syntax used by the JavaEE container for uri mapping.
# Specifically, CSRFGuard will identify the first match (if any) between the requested uri and an unprotected
# page in order of declaration. Match criteria is as follows:
#
# Case 1: exact match between request uri and unprotected page
# Case 2: longest path prefix match, beginning / and ending /*
# Case 3: extension match, beginning *.
# Default: requested resource must be validated by CSRFGuard
#
# The following code snippet illustrates the three use cases over four examples. The first two examples
# (Tag and JavaScriptServlet) look for direct URI matches. The third example (Html) looks for all resources
# ending in a .html extension. The last example (Public) looks for all resources prefixed with the URI path /MySite/Public/*.
#
# org.owasp.csrfguard.unprotected.Tag=/tag.jsp
# org.owasp.csrfguard.unprotected.JavaScriptServlet=/JavaScriptServlet
# org.owasp.csrfguard.unprotected.Html=*.html
# org.owasp.csrfguard.unprotected.Public=/MySite/Public/*
org.owasp.csrfguard.unprotected.script=/script/*

org.owasp.csrfguard.unprotected.Default=/
org.owasp.csrfguard.unprotected.Upload=/upload.html
org.owasp.csrfguard.unprotected.JavaScriptServlet=/JavaScriptServlet
org.owasp.csrfguard.unprotected.Ajax=/ajax.html
org.owasp.csrfguard.unprotected.Error=/error.html
org.owasp.csrfguard.unprotected.Index=/index.jsp
org.owasp.csrfguard.unprotected.JavaScript=/javascript.html
org.owasp.csrfguard.unprotected.Tag=/tag.jsp
org.owasp.csrfguard.unprotected.Redirect=/redirect.jsp
org.owasp.csrfguard.unprotected.Forward=/forward.jsp
org.owasp.csrfguard.unprotected.Session=/session.jsp
org.owasp.csrfguard.unprotected.Session=/favicon.ico


#org.owasp.csrfguard.unprotected.Test=/Test/*
# Actions: Responding to Attacks
#
# The actions directive (org.owasp.csrfguard.action.*) gives the user the ability to specify one or more
# actions that should be invoked when a CSRF attack is detected. Every action must implement the
# org.owasp.csrfguard.action.IAction interface either directly or indirectly through the
# org.owasp.csrfguard.action.AbstractAction helper class. Many actions accept parameters that can be specified
# along with the action class declaration. These parameters are consumed at runtime and impact the behavior of
# the associated action.
#
# The syntax for defining and configuring CSRFGuard actions is relatively straight forward. Let us assume we wish
# to redirect the user to a default page when a CSRF attack is detected. A redirect action already exists within
# the CSRFGuard bundle and is available via the class name org.owasp.csrfguard.actions.Redirect. In order to enable
# this action, we capture the following declaration in the Owasp.CsrfGuard.properties file:
#
# syntax: org.owasp.csrfguard.action.[actionName]=[className]
# example: org.owasp.csrfguard.action.class.Redirect=org.owasp.csrfguard.actions.Redirect
#
# The aforementioned directive declares an action called "Redirect" (i.e. [actionName]) referencing the Java class
# "org.owasp.csrfguard.actions.Redirect" (i.e. [className]). Anytime a CSRF attack is detected, the Redirect action
# will be executed. You may be asking yourself, "but how do I specify where the user is redirected?"; this is where
# action parameters come into play. In order to specify the redirect location, we capture the following declaration
# in the Owasp.CsrfGuard.properties file:
#
# syntax: org.owasp.csrfguard.action.[actionName].[parameterName]=[parameterValue]
# example: org.owasp.csrfguard.action.Redirect.ErrorPage=/error.html
#
# The aforementioned directive declares an action parameter called "ErrorPage" (i.e. [parameterName]) with the value
# of "/error.html" (i.e. [parameterValue]) for the action "Redirect" (i.e. [actionName]). The
# Redirect action expects the "ErrorPage" parameter to be defined and will redirect the user to this location when
# an attack is detected.
#
#org.owasp.csrfguard.action.Empty=org.owasp.csrfguard.action.Empty
org.owasp.csrfguard.action.Log=org.owasp.csrfguard.action.Log
org.owasp.csrfguard.action.Log.Message=potential cross-site request forgery (CSRF) attack thwarted (user:%user%, ip:%remote_ip%, uri:%request_uri%, error:%exception_message%)
#org.owasp.csrfguard.action.Invalidate=org.owasp.csrfguard.action.Invalidate
org.owasp.csrfguard.action.Redirect=org.owasp.csrfguard.action.Redirect
org.owasp.csrfguard.action.Redirect.Page=/error.html
#org.owasp.csrfguard.action.RequestAttribute=org.owasp.csrfguard.action.RequestAttribute
#org.owasp.csrfguard.action.RequestAttribute.AttributeName=Owasp_CsrfGuard_Exception_Key
org.owasp.csrfguard.action.Rotate=org.owasp.csrfguard.action.Rotate
#org.owasp.csrfguard.action.SessionAttribute=org.owasp.csrfguard.action.SessionAttribute
#org.owasp.csrfguard.action.SessionAttribute.AttributeName=Owasp_CsrfGuard_Exception_Key
#org.owasp.csrfguard.action.Error.Code=403
#org.owasp.csrfguard.action.Error.Message=Security violation.

# Token Name
#
# The token name property (org.owasp.csrfguard.TokenName) defines the name of the HTTP parameter
# to contain the value of the OWASP CSRFGuard token for each request. The following configuration
# snippet sets the CSRFGuard token parameter name to the value OWASP_CSRFTOKEN:
#
# org.owasp.csrfguard.TokenName=OWASP_CSRFTOKEN
org.owasp.csrfguard.TokenName=OWASP_CSRFTOKEN

# Session Key
#
# The session key property (org.owasp.csrfguard.SessionKey) defines the string literal used to save
# and lookup the CSRFGuard token from the session. This value is used by the filter and the tag
# libraries to retrieve and set the token value in the session. Developers can use this key to
# programmatically lookup the token within their own code. The following configuration snippet sets
# the session key to the value OWASP_CSRFTOKEN:
#
# org.owasp.csrfguard.SessionKey=OWASP_CSRFTOKEN
org.owasp.csrfguard.SessionKey=OWASP_CSRFTOKEN

# Token Length
#
# The token length property (org.owasp.csrfguard.TokenLength) defines the number of characters that
# should be found within the CSRFGuard token. Note that characters are delimited by dashes (-) in groups
# of four. For cosmetic reasons, users are encourage to ensure the token length is divisible by four.
# The following configuration snippet sets the token length property to 32 characters:
#
# org.owasp.csrfguard.TokenLength=32
org.owasp.csrfguard.TokenLength=32

# Pseudo-random Number Generator
#
# The pseudo-random number generator property (org.owasp.csrfguard.PRNG) defines what PRNG should be used
# to generate the OWASP CSRFGuard token. Always ensure this value references a cryptographically strong
# pseudo-random number generator algorithm. The following configuration snippet sets the pseudo-random number
# generator to SHA1PRNG:
#
# org.owasp.csrfguard.PRNG=SHA1PRNG
org.owasp.csrfguard.PRNG=SHA1PRNG


 

 

 

3. web.xml 에 다음과 같이 설정를 하자.

csrfguard.properties 읽어들이는  초기 파람 설정이다. 파일 위치가 맞는지 확인하자.
 

 <context-param>
        <param-name>Owasp.CsrfGuard.Config</param-name>
        <param-value>WEB-INF/classes/csrfguard.properties</param-value>
    </context-param>

 

 

csrfguard.js 파일명과 파일 위치가 맞는 확인 하자.
 

       <init-param>
        <param-name>source-file</param-name>
        <param-value>script/csrfguard.js</param-value>
       </init-param>

 

상세 내용은 https://www.owasp.org/index.php/CSRFGuard_3_Token_Injection 있다.   그러나 버전별로 다르니 유의하자.

설정에 따라 안 될 수 있으니 주의 하자.

java 클래스에서   자바스크립트로 파라미터 값을  넘겨 주기 때문이다. JavaScriptServlet  맵핑 되어 있어야 한다. 

맵핑 설정에 주의 하도록 한다.

 

   <!-- CSRF 시작 -->    
    <context-param>
        <param-name>Owasp.CsrfGuard.Config</param-name>
        <param-value>WEB-INF/classes/csrfguard.properties</param-value>
    </context-param>
    
    <context-param>
        <param-name>Owasp.CsrfGuard.Config.Print</param-name>
        <param-value>true</param-value>
    </context-param>
    
    <listener>
        <listener-class>org.owasp.csrfguard.CsrfGuardServletContextListener</listener-class>
    </listener>
    <listener>
        <listener-class>org.owasp.csrfguard.CsrfGuardHttpSessionListener</listener-class>
    </listener>
    
    <filter>
        <filter-name>CSRFGuard</filter-name>
        <filter-class>org.owasp.csrfguard.CsrfGuardFilter</filter-class>
    </filter>
    
    <filter-mapping>
        <filter-name>CSRFGuard</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>

     <!-- For CSRF Ajax support-->
     <servlet>
       <servlet-name>JavaScriptServlet</servlet-name>
       <servlet-class>org.owasp.csrfguard.servlet.JavaScriptServlet</servlet-class>
       <init-param>
        <param-name>source-file</param-name>
        <param-value>script/csrfguard.js</param-value>
       </init-param>
       <init-param>
        <param-name>inject-into-forms</param-name>
        <param-value>true</param-value>
       </init-param>
       <init-param>
        <param-name>inject-into-attributes</param-name>
        <param-value>true</param-value>
       </init-param>
      <init-param>
        <param-name>domain-strict</param-name>
        <param-value>false</param-value>
      </init-param>
      <init-param>
        <param-name>referer-pattern</param-name>
        <param-value>.*localhost.*</param-value>
      </init-param>
     </servlet>
     
     <servlet-mapping>
       <servlet-name>JavaScriptServlet</servlet-name>
       <url-pattern>/JavaScriptServlet</url-pattern>
     </servlet-mapping>
    <!-- CSRF 끝 -->

 

 

4. 설정이 끝났으면  다음과 같은 방식으로 코딩하면 된다.

TAG  일경우

상단에  등록하자.

<%@ taglib uri="http://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project/Owasp.CsrfGuard.tld" prefix="csrf" %>

 

폼전송일 경우 

<csrf:form id="formTest2" name="formTest2" action="protect.html">
	<input type="text" name="text" value="text"/>
	<input type="submit" name="submit" value="submit"/>
</csrf:form>

 

다음 아래 방식도 있으나 설정에 따라 에러가 발생할 수 있다.

<form id="formTest1" name="formTest1" action="protect.html">
	<input type="text" name="text" value="text"/>
	<input type="submit" name="submit" value="submit"/>
	<input type="hidden" name="<csrf:tokenname/>" value="<csrf:tokenvalue uri="protect.html"/>"/>
</form>

 

링크인경우 다음과 같이 코딩하자.

<ul>
	<li><a href="protect.html?<csrf:token uri="protect.html"/>">protect.html</a></li>
	<li><a href="/protect.html?<csrf:token uri="/protect.html"/>">/protect.html</a></li>
	<li><a href="http://localhost/test.html?<csrf:token uri="http://localhost/test.html"/>">http://localhost/test.html</a></li>
	<li><a href="javascript:alert('test')">javascript:alert('test')</a></li>
</ul>
<ul>
	<li><csrf:a href="protect.html">protect.html</csrf:a></li>
	<li><csrf:a href="/protect.html">/protect.html</csrf:a></li>
</ul>

 

전체 소스

<%@ page language="java" contentType="text/html; charset=UTF-8" pageEncoding="UTF-8"%>
<%@ taglib uri="http://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project/Owasp.CsrfGuard.tld" prefix="csrf" %>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>JSP Tag Token Injection</title>
</head>
<body>
<h3>Test Link(s)</h3>
<ul>
    <li><a href="protect.html?<csrf:token uri="protect.html"/>">protect.html</a></li>
    <li><a href="protect.html?<csrf:token uri="/protect.html"/>">/protect.html</a></li>
    <li><a href="http://localhost/test.html?<csrf:token uri="http://localhost/test.html"/>">http://localhost/test.html</a></li>
    <li><a href="javascript:alert('test')">javascript:alert('test')</a></li>
</ul>
<ul>
    <li><csrf:a href="protect.html">protect.html</csrf:a></li>
    <li><csrf:a href="/protect.html">/protect.html</csrf:a></li>
</ul>
<br/>
<h3>&raquo;csrf:token-name/&laquo;  태그 형식으 보낸 경우 Test Form(s)</h3>
<form id="formTest1" name="formTest1" action="protect.html">
    <input type="text" name="text" value="text"/>
    <input type="submit" name="submit" value="submit"/>
    <input type="hidden" name="<csrf:token-name/>" value="<csrf:token-value uri="protect.html"/>"/>
</form>

<h3>&raquo;csrf:form /&laquo;  태그 형식으 보낸 경우 Test Form(s)</h3>&laquo;
<csrf:form id="formTest2" name="formTest2" action="protect.html">
    <input type="text" name="text" value="text"/>
    <input type="submit" name="submit" value="submit"/>
</csrf:form>


</body>
</html>

 

 

 

스크립트일 경우

 

<!-- OWASP CSRFGuard JavaScript Support -->
<script src="JavaScriptServlet"></script>

<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>JavaScript Token Injection</title>
</head>
<body>
<h3>Test Link(s)</h3>
<ul>
	<li><a href="protect.html">protect.html</a></li>
	<li><a href="/protect.html">/protect.html</a></li>
	<li><a href="http://localhost/test.html">http://localhost/test.html</a></li>
	<li><a href="javascript:alert('test')">javascript:alert('test')</a></li>
</ul>
<br/>
<h3>Test Form(s)</h3>
<form name="test1" action="protect.html">
	<input type="text" name="text" value="text"/>
	<input type="submit" name="submit" value="submit"/>
</form>
</body>
<br/>
<br/>
<h3>Evil Form(s)</h3>
<form name="test2" action="http://www.evilsite.com/protect.html">
	<input type="text" name="text" value="text"/>
	<input type="submit" name="submit" value="submit"/>
</form>

<br/>
<br/>
<h3>IFrame</h3>
<iframe src="protect.html"></iframe>
<br/>
<br/>

<h3>Image Tag</h3>
<img src="protect.html" />
<img src="protect.html" />


</body>
<!-- OWASP CSRFGuard JavaScript Support -->
<script src="JavaScriptServlet"></script>


</html>

 

 

 

개발자 : 최준호 - macaronics.net

소스 :  https://github.com/braverokmc79/jsp_sin