Spring Security - CSRF - How to reset CSRF token and log a potential CSRF attack (OWASP recommendation)

0
votes

We are using Spring Security framework in our application, especially to prevent it against CSRF attacks.

In the OWASP document about CSRF attacks prevention cheat sheet, they talk about the Synchronizer Token Pattern. So, when a wrong CSRF token is provided, they recommend to:

  1. Abort the request
  2. Reset the CSRF token
  3. Log the event as a potential CSRF attack in progress

I did a test, providing a wrong CSRF and get the following results :

  1. The request is abort and the response's status is set to 403 (= Forbiden)
  2. The token is not reset
  3. A simple DEBUG log is done by the Spring CSRFFilter : "Invalid CSRF token found for REQUESTED_URL"

So, my question are:

  • Q1: Is it possible to ask Spring Security to reset the CSRF token?
  • Q2: Is it possible to ask Spring Security to log a WARN message instead of a DEBUG message about a potential CSRF attack in progress?

Thanks.

1
securityspring-securitycsrfcsrf-protectionowasp

1 Answers

0
votes

You are not alone. I am still figure out how to reset the token.

To answer your q2, you can specify a custom AccessDeniedHandler, which allows you to process the InvalidCsrfTokenException in the way you like. The details you can find here.