I am using OWASP to prevent information leakage on my application. But this not working properly as expected.
I logged in to my application and done some random clicks on the tabs in the application. Then I cleared the web browser history and cookies .When I click on any tab after this I will get an pop up screen by saying the session got expired please login again and it redirects me to the login screen when I click on the “ok” button (Till this it worked fine ) . But when I login again and clicking on the tab that used in the last session after deleting the cookies, I get the error “cross-site request forgery (CSRF) attack ...” (this is something weird). If am Clicking on any other tabs I am not getting any error and it works fine
this is a snippet of my OWASP.properties file :-
#org.owasp.csrfguard.action.Empty=org.owasp.csrfguard.action.Empty
org.owasp.csrfguard.action.Log=org.owasp.csrfguard.action.Log
org.owasp.csrfguard.action.Log.Message=potential cross-site request forgery (CSRF) attack thwarted (user:%user%, ip:%remote_ip%, uri:%request_uri%, error:%exception_message%)
#org.owasp.csrfguard.action.Invalidate=org.owasp.csrfguard.action.Invalidate
org.owasp.csrfguard.action.Redirect=org.owasp.csrfguard.action.Redirect
org.owasp.csrfguard.action.Redirect.Page=/ourUI/csrfError.jsp
#org.owasp.csrfguard.action.Redirect.Page=/OLDUI/error/error.jsp
#org.owasp.csrfguard.action.RequestAttribute=org.owasp.csrfguard.action.RequestAttribute
#org.owasp.csrfguard.action.RequestAttribute.AttributeName=errMsg
org.owasp.csrfguard.action.Rotate=org.owasp.csrfguard.action.Rotate
#org.owasp.csrfguard.action.SessionAttribute=org.owasp.csrfguard.action.SessionAttribute
#org.owasp.csrfguard.action.SessionAttribute.AttributeName=Owasp_CsrfGuard_Exception_Key
I have uncommented the following line and checked
org.owasp.csrfguard.action.Invalidate=org.owasp.csrfguard.action.Invalidate
This time I got the error when I click first time on the tab which I have used in last session (followed the same procedure as above) Second time onwards it worked fine. Can anyone please help to find why this error I am getting? Do I need to make any other changes on this file?
Related
I am having issues using the Facebook send dialog. If I open this window in a new browser, everything works:
https://www.facebook.com/dialog/send
?app_id=[My_App_Id]
&redirect_uri=https%3A%2F%2Fwww.example.com%2Fcallback
&link=https%3A%2F%2Fexample.com%2Fimage.jpg
So by doing that, I am able to send a message just fine. However, I need this to be in an iframe, which according to the send dialog documentation, this should work. So I then do this:
https://www.facebook.com/dialog/send
?app_id=[My_App_Id]
&display=iframe
&redirect_uri=https%3A%2F%2Fwww.example.com%2Fcallback
&link=https%3A%2F%2Fexample.com%2Fimage.jpg
Doing so, I get the following error:
API Error Code: 102
API Error Description: Session key invalid or no longer valid
Error Message: Iframe dialogs must be called with a session key
I find it a little strange that I can do this with a popup, but they require a session key for iframe. But even so, that isn't a problem. Because I have already gotten an access_token. So, this should work then:
https://www.facebook.com/dialog/send
?app_id=[My_App_Id]
&display=iframe
&redirect_uri=https%3A%2F%2Fwww.example.com%2Fcallback
&link=https%3A%2F%2Fexample.com%2Fimage.jpg
&access_token=[MY_OAUTH_ACCESS_TOKEN]
The access token was obtained from calling /v12.0/dialog/oauth, and I have confirmed that the access_token is valid:
However, I now get this message:
This Content Isn't Available Right Now
When this happens, it's usually because the owner only shared it with a small group of people, changed who can see it or it's been deleted.
So now this really makes no sense. I can send this link just fine if I use a popup with NO access_token present. But to set the display to iframe, I must include the token, which is fine, but it doesn't like the token for some reason?
It is also worth noting that this behaves the same way regardless if the Facebook app is in development mode or live mode. In development mode, all of the permissions should work for my test users. So it seems very unlikely that this is a permissions issue?
Anybody have any insight on this at all?
I'm using the Facebook Javascript API for login in conjunction with the official Facebook PHP SDK on my server to execute the two following lines of code:
$helper = $fb->getJavaScriptHelper();
$accessToken = $helper->getAccessToken();
With the token, I'm further able to execute this code which gets the necessary details I need on the server:
$fb->setDefaultAccessToken($accessToken);
$response = $fb->get('/me?locale=en_US&fields=name,first_name,last_name,email,gender');
If I refresh the webpage I'm working with and let it fully load everything works correctly and I'm able to print to screen all of the details I get back in $response.
The problem I'm having, however, is that if I quickly refresh the screen (either by hitting F5 on Windows machines or COMMAND+R on Macs) before the Facebook javascript code executes I get the following thrown error from the Facebook API:
"This authorization code has been used"
How do I avoid this? Do I wrap the Facebook code on the client side in a jQuery document ready function? I hesitate to do that because I've been told that the Facebook Javascript code is good to go as a stand-alone script that is intelligent enough to know when the document is loaded.
I'm about ready to throw in the towel and just code a manual login process that totally bypasses the Facebook Javascript API. Thanks for your help.
Put the access code into a $_session['access_token'] and then redirect to another page to get the data.
Login Page
Callback Page (save into the session variable)
Working Page (work with the session variable)
See more: https://benmarshall.me/facebook-php-sdk/#example-login
So, I've been at this for a while now, went through a bunch of different questions, and still no solution.
If I log in regularly, all is fine, I can logout as expected. But, if I login with facebook (authorize the app), then there is no way to logout unless I manually delete the cookies from within my browsers menu.
Following that logic, I wanted to destroy the cookies in the logout action using this code(after I modified my session settings to work across subdomains, for my particular case):
function logout() {
if ($this->Cookie->read('Auth.User')) {
$this->Cookie->delete('Auth.User');
}
$this->Auth->logout();
unset($_SESSION['fb_MYAPP_ID_user_id']);
unset($_COOKIE['fbm_MYAPP_ID']);
unset($_COOKIE['fbsr_MYAPP_ID']);
unset($_COOKIE['CAKEPHP']);
//pr($_SESSION);pr($_COOKIE);exit(); //here I see that the cookies are in fact deleted
$this->redirect($this->Auth->logout());
$this->redirect('/login');
}
But every time after the logout redirect it brings the user back, logged in, and the session/cookies recreated.
I went through a lot of SO questions and answers and none worked for me. Any ideas?
You cannot simply unset cookies from the cookie container, this is just the server side representation of the cookies contained in the request.
To delete cookies you need to set the exact same cookie (domain, path, name) but with an expiration that has passed - when read by the client this will cause the cookie to not be sent with the next request.
You can see how this is done in https://github.com/facebook/facebook-php-sdk/blob/master/src/base_facebook.php#L132.
I ended up using a combination of the following answers:
CakePHP + Facebook
$facebook->getSession() call breaks page below the call
The code on the first one is more complete, but is outdated. I also kept the unset() calls that I have in my question, and it seems to work good for now.
I love it when something is working in other browsers and then ya fire up IE and it all goes poof.
I'm getting the following error:
SEC7111: HTTPS security is compromised by http://www.example.com/myappname/?rctp=[an FB user id]
Here's the workflow:
User goes to canvas app on Facebook. Makes choices on form, form submission goes to app's URL on my domain where quick database work is done and redirects back to the app with user id added as a GET variable, which is used to trigger a user-generated request in Request 2.0 fashion.
Works fine in Firefox. In IE9, I get the "only secure content" error message. IE9 F12 debugger console shows the above "SEC7111: HTTPS security is compromised by http..." message.
Not sure why it's showing "http://www.example.com/myappname" as the url it's redirecting from is "https://www.example.com/myappname"
Again... works fine in Firefox. As per some of the other Q's I've seen here, I tried adding FB._https = (window.location.protocol == "https:"); and FB._https = true to the JavaScript but to no avail.
UPDATE: Ok, removing the GET variable clears up the problem. But I NEED to pass that variable. Is there another way to do it?
I am adding Facebook login to my existing asp.net application. I have added a Facebook login button to my login screen. Now, I click Facebook's login button and in IE 9 it throws client-side exception in all.js on Line 22: if(a.params)b.fbCallID=a.id;
Even after that exception I see the Facebook login screen and can log in, and in the main browser window I get the auth.login event, so I can live with that.
But, if I am already logged in to Facebook, I come to the page and click Facebook login button, I briefly see the empty popup window, then I get teh same client-side exception, and then I get no event in the main browser window, so I don't know if the user logged in so I can't redirect them to another page.
I tried the channelUrl trick but it didn't help.
Any suggestions what's going on?
I found this hack that fixed the issue for me; add this line right after you call FB.init():
// Hack to fix http://bugs.developers.facebook.net/show_bug.cgi?id=20168 for IE7/8/9
FB.UIServer.setLoadedNode = function (a, b) {
FB.UIServer._loadedNodes[a.id] = b;
};
The reason it is happening (from the websites and documents I have read, and believe me, I've read a LOT) is that IE refuses cross-site javascript, and it sees the all.js as crossing the sandbox border. A good discussion can be found here.
Some people say that adding the channel.html file works, but we have tried all flavors of that, and have not had any success. (Remember that the http or https must match the page sending the request.)
Microsoft makes reference to this same issue and their advice is to add the site to trusted sites (that doesn't help). Old advice (from last year) is to add CP="HONK" as your compact privacy policy, but I think that bug was fixed, and it was cookie-related.
What seems to be happening to us is that the login actually continues, and the callback gets called properly, but the main thread that should complete outside of the login call stops executing (because of the error). So, any functions outside the login fail to execute after the login call.
If anyone has a way to get IE to not throw the exception or to create a workaround for this issue, I am desperate to have it. Any info needed I will be happy to provide, but a sample is here:
enter code here
code before login here...
FB.login(function(response){
callback stuff here... This part fires.
});
main thread stuff here... This fails because of permission denied error.