MCPcopy Index your code
hub / github.com/OWASP/SecurityShepherd / getToken

Method getToken

src/main/java/utils/Validate.java:60–94  ·  view source on GitHub ↗

Finds CSRF token from user's cookies[], validates. @param userCookies All of the user's cookies from their browser @return csrfCookie

(Cookie[] userCookies)

Source from the content-addressed store, hash-verified

58 * @return csrfCookie
59 */
60 public static Cookie getToken (Cookie[] userCookies)
61 {
62 int i = 0;
63 Cookie theToken = null;
64 for(i = 0; i < userCookies.length; i++)
65 {
66 if(userCookies[i].getName().compareTo("token") == 0)
67 {
68 theToken = userCookies[i];
69 break; //End Loop, because we found the token
70 }
71 }
72 if(theToken != null)
73 {
74 //log.debug("Found Cookie " + theToken.getName() + " with value " + theToken.getValue());
75 //The Token is currently designed to be a random Big Integer. If the Big Integer Case does not work, the token has been modified. Potentially in a malicious manner
76 try
77 {
78 BigInteger theTokenCasted = new BigInteger(theToken.getValue());
79 BigInteger tenGrand = new BigInteger("10000");
80 BigInteger tenGrandNeg = new BigInteger("-10000");
81 if(!(theTokenCasted.compareTo(tenGrand) > 0 || theTokenCasted.compareTo(tenGrandNeg) < 0))
82 {
83 log.error("CSRF Cookie Token was modified in some manor!");
84 theToken = null;
85 }
86 }
87 catch (Exception e)
88 {
89 log.error("CSRF Cookie Token was modified in some manor: " + e.toString());
90 theToken = null;
91 }
92 }
93 return theToken;
94 }
95
96 /**
97 * Validates class year when creating classes. Class year should be YY/YY, e.g. 11/12. So the first year must be less than the second.

Callers 15

doGetMethod · 0.95
doPostMethod · 0.95
doPostMethod · 0.95
doPostMethod · 0.95
doPostMethod · 0.95
doPostMethod · 0.95
doPostMethod · 0.95
doPostMethod · 0.95
doPostMethod · 0.95
doPostMethod · 0.95
doPostMethod · 0.95
doPostMethod · 0.95

Calls

no outgoing calls

Tested by

no test coverage detected