doc: various changes to the documentation

OWASP · Aug 16, 2024 · 7e9e4f6 · 7e9e4f6
1 parent fa68444
commit 7e9e4f6
Show file tree

Hide file tree

Showing 10 changed files with 19 additions and 108 deletions.
diff --git a/assets/images/credentials_included.png b/assets/images/credentials_included.png
diff --git a/assets/images/csrfguard_3.1.0.png → assets/images/csrfguard.png b/assets/images/csrfguard_3.1.0.png → assets/images/csrfguard.png
diff --git a/csrfguard-test/csrfguard-test-jsp/src/main/webapp/WEB-INF/classes/Owasp.CsrfGuard.properties b/csrfguard-test/csrfguard-test-jsp/src/main/webapp/WEB-INF/classes/Owasp.CsrfGuard.properties
@@ -328,7 +328,6 @@ org.owasp.csrfguard.Config.Print = true
 
 ##################################################################
 ## Javascript servlet settings if not set in web.xml            ##
-## https://wiki.owasp.org/index.php/CSRFGuard_3_Token_Injection ##
 ##################################################################
 
 # This property denotes the location of the JavaScript template file that should be consumed and dynamically

diff --git a/csrfguard/src/main/resources/csrfguard.properties b/csrfguard/src/main/resources/csrfguard.properties
@@ -327,7 +327,7 @@ org.owasp.csrfguard.Config.Print = true
 
 ##################################################################
 ## Javascript servlet settings if not set in web.xml            ##
-## https://owasp.org/www-project-csrfguard ##
+## https://owasp.org/www-project-csrfguard                      ##
 ##################################################################
 
 # This property denotes the location of the JavaScript template file that should be consumed and dynamically

diff --git a/index.md b/index.md
@@ -11,7 +11,7 @@ pitch: OWASP CSRFGuard is a library that implements a variant of the synchronize
 
 <!-- rebuild 40 -->
 
-# CSRFGuard 3 Token Injection
+# CSRFGuard 4 Token Injection
 
 ## Index
 
@@ -29,11 +29,20 @@ pitch: OWASP CSRFGuard is a library that implements a variant of the synchronize
 
 ## Overview
 
-OWASP CSRFGuard implements a variant of the synchronizer token pattern to mitigate the risk of CSRF attacks. In order to implement this pattern, CSRFGuard must offer the capability to place the CSRF prevention token within the HTML produced by the protected web application. CSRFGuard 3 provides developers more fine grain control over the injection of the token. Developers can inject the token in their HTML using either dynamic JavaScript DOM manipulation or a JSP tag library. CSRFGuard no longer intercepts and modifies the HttpServletResponse object as was done in previous releases. The currently available token injection strategies are designed to make the integration of CSRFGuard more feasible and scalable within current enterprise web applications. Developers are encouraged to make use of both the JavaScript DOM Manipulation and the JSP tag library strategies for a complete token injection strategy. The JavaScript DOM Manipulation strategy is ideal as it is automated and requires minimal effort on behalf of the developer. In the event the JavaScript solution is insufficient within a particular application context, developers should leverage the JSP tag library. The purpose of this article is to describe the token injection strategies offered by OWASP CSRFGuard 3.
+OWASP CSRFGuard implements a variant of the synchronizer token pattern to mitigate the risk of CSRF attacks. In order to implement this pattern, CSRFGuard must offer the capability to place the CSRF prevention token within the HTML produced by the protected web application. CSRFGuard provides developers more fine grain control over the injection of the token. Developers can inject the token in their HTML using either dynamic JavaScript DOM manipulation or a JSP tag library. The currently available token injection strategies are designed to make the integration of CSRFGuard more feasible and scalable within current enterprise web applications. Developers are encouraged to make use of both the JavaScript DOM Manipulation and the JSP tag library strategies for a complete token injection strategy. The JavaScript DOM Manipulation strategy is ideal as it is automated and requires minimal effort on behalf of the developer. In the event the JavaScript solution is insufficient within a particular application context, developers should leverage the JSP tag library. The purpose of this article is to describe the token injection strategies offered by OWASP CSRFGuard.
+
+The OWASP CSRFGuard library is integrated through the use of a JavaEE Filter and exposes various automated and manual ways to integrate per-session or pseudo-per-request tokens into HTML. When a user interacts with this HTML, CSRF prevention tokens (i.e. cryptographically random synchronizer tokens) are submitted with the corresponding HTTP request.
+
+It is the responsibility of OWASP CSRFGuard to ensure the token is present and is valid for the current HTTP request.
+
+Any attempt to submit a request to a protected resource without the correct corresponding token is viewed as a CSRF attack in progress and is discarded. Prior to discarding the request, CSRFGuard can be configured to take one or more actions such as logging aspects of the request and redirecting the user to a landing page.
+The latest release enhances this strategy to support the optional verification of HTTP requests submitted using Ajax as well as the optional verification of referrer headers.
+
+As OWASP project we follow the OWASP Code Of Conduct available here: https://owasp.org/www-policy/operational/code-of-conduct
 
 ## JavaScript DOM Manipulation
 
-OWASP CSRFGuard 3 supports the ability to dynamically inject CSRF prevention tokens throughout the DOM currently loaded in the user's browser. This strategy is extremely valuable with regards to server-side performance as it simply requires the serving of a dynamic JavaScript file. There is little to no performance hit when the fetched dynamic JavaScript updates the browser's DOM. Making use of the JavaScript token injection solution requires the developer map a Servlet and place a JavaScript HTML tag within all pages sending requests to protected application resources. Developers are strongly encouraged to leverage the JavaScript token injection strategy by default. This strategy requires minimal effort on behalf of the developer as most of the token injection logic is automated. In the event that the JavaScript automated solution may be insufficient for a specific application context, developers should leverage the OWASP CSRFGuard JSP tag library. \
+OWASP CSRFGuard supports the ability to dynamically inject CSRF prevention tokens throughout the DOM currently loaded in the user's browser. This strategy is extremely valuable with regards to server-side performance as it simply requires the serving of a dynamic JavaScript file. There is little to no performance hit when the fetched dynamic JavaScript updates the browser's DOM. Making use of the JavaScript token injection solution requires the developer map a Servlet and place a JavaScript HTML tag within all pages sending requests to protected application resources. Developers are strongly encouraged to leverage the JavaScript token injection strategy by default. This strategy requires minimal effort on behalf of the developer as most of the token injection logic is automated. In the event that the JavaScript automated solution may be insufficient for a specific application context, developers should leverage the OWASP CSRFGuard JSP tag library. \
 
 **Note**: Use of JavaScript DOM Manipulation is required for Ajax support.
 
@@ -124,7 +133,7 @@ Developers are required to place an HTML script tag within all pages that are kn
 The script tag retrieves and executes the dynamically generated JavaScript from the Servlet mapped at /Owasp.CsrfGuard.Test/JavaScriptServlet. This JavaScript code will register an event handler with window.onload. Once triggered, the code will iterate over every HTML element within the DOM looking for either form tags and or tags containing href or src attributes as configured by the JavaScriptServlet initialization parameters. Forms are dynamically updated to include the CSRFGuard token via a hidden field and tags using src and href attributes are updated to include the CSRFGuard token via a query string parameter.
 
 ## JSP Tag Library
-OWASP CSRFGuard 3 exposes a JSP tag library providing developers more fine grain control over token injection. The library exposes JSP tags that allow access to the token name, the token value, and the token name value pair delimited by an equals (=) sign. In order to make use of the tag library, ensure the Owasp.CsrfGuard.jar file is found within the target application's classpath. For example, the [Owasp.CsrfGuard.Test](https://github.com/OWASP/www-project-csrfguard/tree/master/csrfguard-test/csrfguard-test-jsp/src/main/webapp/WEB-INF/classes)  application places the OWASP CSRFGuard jar file within the WebContent/WEB-INF/lib directory. After placing the library in the classpath, developers can reference the tags in JSP pages using predefined URI reference. The following JSP code snippet imports the tag library and makes it available using the prefix "csrf":
+OWASP CSRFGuard exposes a JSP tag library providing developers more fine grain control over token injection. The library exposes JSP tags that allow access to the token name, the token value, and the token name value pair delimited by an equals (=) sign. In order to make use of the tag library, ensure the Owasp.CsrfGuard.jar file is found within the target application's classpath. For example, the [Owasp.CsrfGuard.Test](https://github.com/OWASP/www-project-csrfguard/tree/master/csrfguard-test/csrfguard-test-jsp/src/main/webapp/WEB-INF/classes)  application places the OWASP CSRFGuard jar file within the WebContent/WEB-INF/lib directory. After placing the library in the classpath, developers can reference the tags in JSP pages using predefined URI reference. The following JSP code snippet imports the tag library and makes it available using the prefix "csrf":
 ```
 <%@ taglib uri="http://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project/Owasp.CsrfGuard.tld" prefix="csrf" %>
 ```

diff --git a/info.md b/info.md
@@ -79,8 +79,8 @@ If you have questions, would like to share or discuss ideas, please use the offi
 
 ## CSRFGuard 4.0 Release Notes:
 
-* [Support for stateless web applications](https://github.com/aramrami/OWASP-CSRFGuard/issues/122)
-* [Apply "TokenPerPage" approach to AJAX](https://github.com/aramrami/OWASP-CSRFGuard/issues/123)
+* [Support for stateless web applications](https://github.com/OWASP/www-project-csrfguard/issues/4)
+* [Apply "TokenPerPage" approach to AJAX](https://github.com/OWASP/www-project-csrfguard/issues/2)
 * [Reduced code duplication](https://github.com/aramrami/OWASP-CSRFGuard/issues/127)
 * [Proper multi-module maven project structure](https://github.com/aramrami/OWASP-CSRFGuard/issues/128)
 * [The test JSP web application now relies on the latest development JavaScript code](https://github.com/aramrami/OWASP-CSRFGuard/issues/133)

diff --git a/readme.md b/readme.md
@@ -175,30 +175,4 @@ git push origin <tag_name>
 You can download pre-compiled versions from:
 
 * [Maven Central repository](https://search.maven.org/search?q=csrfguard)
-* [OSS Sonatype Nexus repository](https://oss.sonatype.org/#nexus-search;gav~~csrfguard~~~)
-
-## CSRFGuard 4.0.0 Release Notes
-
-* [Support for stateless web applications](https://github.com/aramrami/OWASP-CSRFGuard/issues/122)
-* [Apply "TokenPerPage" approach to AJAX](https://github.com/aramrami/OWASP-CSRFGuard/issues/123)
-* [Reduced code duplication](https://github.com/aramrami/OWASP-CSRFGuard/issues/127)
-* [Proper multi-module maven project structure](https://github.com/aramrami/OWASP-CSRFGuard/issues/128)
-* [The test JSP web application now relies on the latest development JavaScript code](https://github.com/aramrami/OWASP-CSRFGuard/issues/133)
-* [Improved code quality](https://github.com/aramrami/OWASP-CSRFGuard/issues/134)
-* [Addressing synchronous XMLHttpRequest deprecation](https://github.com/aramrami/OWASP-CSRFGuard/issues/137)
-* [Approach changed for master and page token retrieval](https://github.com/aramrami/OWASP-CSRFGuard/issues/139)
-* [Improved test coverage](https://github.com/aramrami/OWASP-CSRFGuard/issues/140)
-* [Better solution for looking up page tokens in the JS](https://github.com/aramrami/OWASP-CSRFGuard/issues/141)
-* [The javascript template is now parsable and minifiable](https://github.com/aramrami/OWASP-CSRFGuard/issues/142)
-* [Short-circuit the solution logic if CSRFGuard is disabled](https://github.com/aramrami/OWASP-CSRFGuard/issues/143)
-* [Do not generate page tokens for pages that are not protected](https://github.com/aramrami/OWASP-CSRFGuard/issues/144)
-* [Page tokens generated on first use are not sent back to the client](https://github.com/aramrami/OWASP-CSRFGuard/issues/145)
-* [Issue with the token-per-page support for REST endpoint containing path parameters](https://github.com/aramrami/OWASP-CSRFGuard/issues/146)
-* [Possible race condition on first access of endpoints when token-per-page and AJAX request options are enabled](https://github.com/aramrami/OWASP-CSRFGuard/issues/147)
-* [Tokens are not injected into dynamically created DOM elements ](https://github.com/aramrami/OWASP-CSRFGuard/issues/148)
-* [Make the configuration more resilient to errors](https://github.com/aramrami/OWASP-CSRFGuard/issues/149)
-* [Tokens should not be injected into external links if the domainStrict property is set to true](https://github.com/aramrami/OWASP-CSRFGuard/issues/150)
-* [Tokens not injected in dynamic content returned from Ajax](https://github.com/aramrami/OWASP-CSRFGuard/issues/151)
-* Heavily refactored, improved and more optimized code-base
-* Documentation update and typo fixes.
-* Copyright update and unification.
+* [OSS Sonatype Nexus repository](https://oss.sonatype.org/#nexus-search;gav~~csrfguard~~~)
diff --git a/tab_features.md b/tab_features.md
@@ -9,34 +9,9 @@ tags: csrfguard
 ---
 # OWASP CSRFGuard 4.0.0
 
-![OWASP CSRFGuard 4.0.0](assets/images/csrfguard_3.1.0.png)
+![OWASP CSRFGuard 4.0.0](assets/images/csrfguard.png)
 
-# Some CSRGuard features
-
-## Tags
-```
-<img src=“https://bank.com/fn?param=1”>
-<iframe src=“https://bank.com/fn?param=1”>
-<script src=“https://bank.com/fn?param=1”>
-```
-
-## Autoposting Forms
-```
-<body onload="document.forms[0].submit()">
-<form method="POST" action=“https://bank.com/fn”>
-   <input type="hidden" name="sp" value="8109"/>
-</form>
-```
-## XmlHttpRequest
-Subject to same origin policy
-
-## Credentials Included
-
-![Credentials Included](assets/images/credentials_included.png)
-
-# How Does CSRF Work?
-
-## What is CSRF (Cross-Site Request Forgery) Attacks
+## What are CSRF (Cross-Site Request Forgery) Attacks?
 
 ![How Does CSRF Work](assets/images/what_is_csrf_attacks_1.png)
 ![How Does CSRF Work](assets/images/what_is_csrf_attacks_2.png)

diff --git a/tab_news.md b/tab_news.md
diff --git a/tab_roadmap.md b/tab_roadmap.md