OWASP CSRF Java EE filter


I have not tested this out yet, so please test before you implement it.

I think it's a really good idea to implement [XC]SRF fixing at a filter level. If this works, it's really kind of a thing of beauty because it takes the requirement for token generation and such out of the hands of the developer. The downside is that now the implementors will be required to apply the filter to the right URI's - this won't work for everything.

The way it works is on responses, it finds any </form> tags, and adds a hidden form element with a new token. The same token is stored in the session. On requests, if there's a token in the session, and the request either doesn't contain a token or it doesn't match the token in the session, then the user is shown an error page. This works exactly the same way as the Struts token system works, except in Struts it's up to the developer to use the Token system when they need it.

If I get some cycles to test this out, I'll let you know. The thing that's concerning is that there may be times that the request doesn't get put together by using a form (delete.do?id=1382, for example). You'll need to be careful about the implementation uri.