How to know if my CSRF is working?

2.5k views Asked by At

I am trying to implement CSRF using Spring and freemarker as my template.

Due the restrictions of freemarker I had to add the javascript function to make it work, just as I saw it here:

http://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#csrf-include-csrf-token

So, I added this code:

$(function () {
var token = $("meta[name='_csrf']").attr("content");
var header = $("meta[name='_csrf_header']").attr("content");
$(document).ajaxSend(function(e, xhr, options) {
    xhr.setRequestHeader(header, token);
});
});

As far as I see, it is not adding anything, just some metatags with no content... and the ajaxSend I cannot be 100% sure is working, is there any way to know it is working?

I read that by default the CSRF is enabled. And I have the correct chain filters (as far as I could check).

I am using spring 3.2.8 and security 3.2.5 with freemarker 2.3.2

Is there any way to verify this?

Thanks

1

There are 1 answers

0
Ralph On BEST ANSWER

If you want to check that the csrf filter is preventing malicious requests, than use a tool like the Firefox-Plugin "Tamper-Data" that is able to manipulate the request before its get send. With such a tool you can delete or change the sended csrf-prevention token. -- When you change it or delete it, then the server must repsond with an error (not authorized or something like that) -- But if the server full fill the request like normal, then your CRSF protection is not working.