Cross-Site Request Forgery (CSRF) Prevention 

Using Struts 2

Perform CSRF prevention using Struts 2 within an application.

Objectives

CSRF prevention is a key security control for an application that protects the application and its users from CSRF attacks. This article will describe how to use the built-in mechanisms provided by Struts 2 to perform CSRF prevention.

Code Example

There is a standard model for CSRF prevention using Struts 2 that involves 3 basic steps
1. Update your interceptor stack to include the tokenSessionInterceptor, either including or excluding all methods (all are included here).

   
   
 *
   

2. Update your action configuration to include or exclude any methods that need or do not need CSRF protection

.

<action ...>
    ...
    <interceptor-ref name="tokenSession">
 searchBooks,getBook
    </interceptor-ref>
</action>

3. Use s:token in your JSP form that requests the action.

<s:form action="...">
    ...
    <s:token />
    ...
</s:form>

Using these 3 simple steps you can effectively have a session specific per user token used to validate that a request was submitted by a user intentionally.

Note: There have been effective attacks against various CSRF prevention techniques including this token-based approach when an application has XSS vulnerabilities. Removing XSS is therefore viewed as a prerequisite activity for a complete CSRF prevention mechanism.

In conclusion, CSRF prevention can function as a strong security control if used properly and applied thoroughly throughout the application. The Struts 2 framework provides a simple series of steps for accomplishing this task.

Good to have....