FAQ Database Discussion Community


How do I send CSRF token authenticity from a php app that I own to a rails app that I own?

php,ruby-on-rails,httprequest,csrf,sugarcrm
I am an admin for a sugarCRM instance and I have a rails app on heroku. I want to be able to automatically add contacts to the rails app if they are added in sugarCRM. I have written a before_save logic_hook in my sugarCRM: function pushConts($bean, $event, $arguments) { $r...

Django CSRFTOKEN and problems with android client

android,django,csrf
I tried and search a lot of answers here and in others webpages but I spend all day and still can't do it. A friend build a django backend and he ask me to build an android app to connect to that backend, the best result was this Android Client...

CSRF Protection with tokens in meta tag - why can't it be stolen?

javascript,spring,spring-security,csrf,csrf-protection
A recommendation for being able to include a csrf prevention token in ajax calls is to include them as a meta tag in your page, which can then be accessed and included in the header. http://docs.spring.io/spring-security/site/docs/3.2.0.CI-SNAPSHOT/reference/html/csrf.html How is this not exploitable? For example if example.com included the csrf token in...

Laravel 5 TokenMismatchException on PHP 5.6.9

php,laravel-5,csrf
Post requests work fine running Laravel 5 app on PHP 5.4. Post requests on the same app running on PHP 5.6.9 generate: TokenMismatchException VerifyCsrfToken.php on line 46 This happens on every post request on both WAMP and IIS. Happens using database sessions and file sessions. Did a full reinstall and...

tokens do not match (CSRF)

php,csrf
I have entered the following code to prevent CSRF but issuing and checking tokens. The top section goes on the login.php, the second part goes on the landing page. The issuing of the token works, and when I print $_SESSION['token']on the landing page they match up. However, when i substitute...

How to protect against CSRF

token,csrf
How can I protect my website against Cross-Site Request Forgery attack? I am visiting a "normal" website. (f.e. normal.php) In the background it loads another website (f.e. victim.php/send_comment) where I'm already logged in. The website fills the comment boxes of the victim.php with JS and automatically send the request. In...

How is rails CSRF generated token useful?

ruby-on-rails,security,csrf
It seems I am missing something in the CSRF working mechanism, as I understand: If the CSRF token submitted with the form doesn't match the one in the session, the session is destroyed and thus all authentication data is lost and most probably the user wont' be able to complete...

Is just checking the Referer header enough to prevent CSRF?

python,csrf,csrf-protection
Is comparing the Referer http header enough to prevent CSRF, I have the following html code below. <div id="Message"></div><br> Username:<br> <input type="text" name="Username" id="Username"><br> Password:<br> <input type="password" name="Password" id="Password"><br> Keep me logged in:<br> <input type="checkbox" id="KeepSessionAlive"><br> <input type="submit" onClick="ProcessLogin();"> <script> function ProcessLogin(){...

Spring Boot, Freemarker, MVC Unit Tests, Csrf

c#,unit-testing,spring-boot,csrf,freemarker
Im using Freemarker with Spring Boot and do mvc unit tests. In my freemarker template I have a hidden input field for the csrf token like this: <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/> Then I also have a mvc unit test : @RunWith(SpringJUnit4ClassRunner.class) @SpringApplicationConfiguration(classes = MyApplication.class) @WebAppConfiguration @ActiveProfiles("test") public class MvcTests {...

how to disable csrf in testing django?

django,testing,csrf
I have a problem testing views with csrf tokens. This code class ViewTests(TestCase): def test_bets_view(self): login_page=self.client.get('/users/login/') print login_page.content returns HTML with CSRF hidden input. And this thing, which I need to compare to the former HTML, expected_html=render_to_response('login.html', dictionary={ 'form':LoginForm() }) doesn't have hidden CSRF input. So the assertion fails. Ho...

Custom HTTP Header or cookies? how custom authentication/authorization helps in CSRF?

javascript,http,cors,csrf
If someone can help me understand how a custom HTTP authorization header helps protect CSRF attack. Also correct me if i'm wrong does it prevent replay attacks using fiddler also? Thanks for your help in advance...

Cross-Site Forgeries (CSRF) and Public Application Interface

php,jquery,security,oop,csrf
Looking to tightening up security and prevent Cross-Site Request Forgery attacks. Understand tokenization for forms but less clear on object instances. According to OWASP The exploit criteria includes 1. web user needs to be authenticated and 2. CSRF attacks specifically target state-changing requests. At Issue: I have a public facing...

Patch Rails 3 to fix CSRF protection vulnerability

javascript,ruby-on-rails,ruby,ruby-on-rails-3,csrf
I'm currently working on a big project which uses Rails 3.2 and have no opportunity to move to the Rails 4. As I know, Rails 3 has CSRF protection vulnerability when you have JS views, which are requested by GET. In the Rails 4 it was fixed by this PR....

How to know if my CSRF is working?

spring,csrf
I am trying to implement CSRF using Spring and freemarker as my template. Due the restrictions of freemarker I had to add the javascript function to make it work, just as I saw it here: http://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#csrf-include-csrf-token So, I added this code: $(function () { var token = $("meta[name='_csrf']").attr("content"); var header...

Default timeout of CSRF in ZF2

zend-framework2,zend-form,csrf,zend-form-element,csrf-protection
Is it possible to specify a global default timeout for CSRF form elements in Zend 2? Otherwise I have to specify a timeout option for each CSRF element. P.S.: What's the value of the current default timeout?...

Is this a secure way to prevent Cross-site Request Forgery (CSRF) attacks?

javascript,ajax,cookies,csrf
Our app is thus: Every user must login login page posts back to server and if an authorized user a SPA app is returned. SPA app is totally AJAX HTTPS Normally we would send a sessionid cookie and a csrftoken cookie. The token cookie value would get included as an...

Codeigniter CSRF protection VS tabs

php,codeigniter,csrf
In the newish CodeIgniter v3, CSRF tokens are only valid once. As a result, I'm having some trouble dealing with multiple tabs: Open a tab with Form1 Open a tab with Form2 Submit the tab with Form 1 Submit the tab with Form 2 Step 4 will results in a...

CSRF token without cookies in PHP

php,security,session,cookies,csrf
I am looking for a way to add a CSRF token to an application I'm making. The caveat is, the application does not currently use cookies or sessions. I would love to find a way to introduce a CSRF token without having to: Introduce state in my application. Use session...

Csurf invalid csrf token Express / nodejs

node.js,cookies,express,csrf,mean-stack
I have this odd behavior I get an error just the first time my page loads, basically is 'EBADCSRFTOKEN' I've been trying to figure it out why it happens only the first time the page loads, if I hit refresh and get a new token everything works fine. the same...

Quick CSRF Token

php,csrf
So I have found a tutorial supplied on my last thread about generating a CSRF token ... Now how should I implement it? I've tried making it generate a new token per form request (however trying to do multiple form requests makes it invalid so that's off the list) and...

Can I use plone.protect 3.0 with Plone 4.3?

forms,security,plone,csrf,plone-4.x
Since version 3, plone.protect provides automatic CSRF protection. Plone 4.3 includes, by default, plone.protect 2.0. Can I just upgrade to start using this feature in Plone 4.3?...

How to POST with missing authenticity_token in rspec rails request test?

ruby-on-rails,rspec,csrf,authenticity-token
I'm simulating a request coming from an external service, which will not have an authenticity token. I want the test to fail if skip_before_action :verify_authenticity_token is missing. How do I do this from an Rspec request spec? Currently I'm using post as below, but it is happily accepted. post endpoint,...

Do I need csrf tokens after login?

ajax,node.js,security,reactjs,csrf
I'm building a simple todo list where the user will login (with csrf-token) and then be able to add items to the todo list. Would I need to add csrf_tokens to submissions using AJAX (todo list items) after the the user has already logged in? I'm using session based authentication.

Does Drupal use Cross-Site Request Forgery (CSRF) tokens anywhere?

drupal,request,csrf
Is there a way to find out if a Drupal instance has a CSRF tokens used anywhere? And how do we find out if those tokens are vulnerable? Any help is appreciated....

CSRF verification failed for Django despite Firebug saying there is a csrftoken underneath cookies tab. Why?

javascript,python,django,csrf,django-csrf
I followed a lot of the stuff recommended on StackOverflow but to no avail. Also I tried to squeeze in {% csrf_token %} in the html in various places but none seemed to work. Any suggestions? Here's my Django template input button: <input id=saveWaypoints type=button value=Save disabled=disabled> Which then triggers...

How can I extend my form with csrf token properly?

scala,playframework,csrf
I use Play2! Scala 2.3.8. I would like to add a default csrfToken for my from, but I do know how. I tried it by this example https://www.playframework.com/documentation/2.3.8/ScalaCsrf I created a custom global object and I extended my form with : @helper.form(action = routes.Books.submitBook) { @helper.CSRF.formField but I got this...

Spring Resttemplate login fails

java,spring,spring-mvc,spring-security,csrf
after an update to spring-4.1.6 i'am not able to login to my rest services any more. I looked on different sides, but couldn't solve the problem... so i ask for help. Here is my my web.xml: <?xml version="1.0" encoding="ISO-8859-1"?> <web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" version="2.5"> <!-- The definition of the...

Rails 4 expired CSRF token after some time

security,ruby-on-rails-4,csrf
I have Rails 4 app. Yesterday, if I had opened a page with a form and my computer stays awake, the next day when I try to submit the form app returns: 500 Internal Error The log says that authenticity_token is invalid. What can I do?...

Why `init` of shim in my require.js configuration not called?

javascript,django,backbone.js,requirejs,csrf
Update: I was writing a small module to handle this csrf token problem in backbone until I got push notification of @Louis's answer. His answer is quite elegant and seems nice, but I'll leave a link to my backbone.csrf module github repo just for anyone who needs it. ==================================================================== I'm...

CakePHP 3.0.4 and Invalid CSRF token

csrf,cakephp-3.0
I'm having a problem with CSRF component since I've updated to the last 3.0.4 CakePHP version yesterday. Looks like there is a security fix for previous versions so I decided to upgrade as soon as possibile, but since then I'm having this error when I try to login into my...

preventing cross-site request forgery (csrf) attacks in asp.net web forms

asp.net,webforms,csrf,.net-framework-version
I have created an ASP.Net Web form application usind Visual Studio 2013 and i am using Dot Net Frame Work 4.5, and i want to make sure my site is secure from Cross-Site Request Forgery (CSRF), i have found many articles talking about how this feature is implemented on MVC...

Asp.Net MVC Antiforgery validation fails when non-null usernames differ…is that reasonable?

asp.net-mvc,security,cookies,csrf,antiforgerytoken
My question is about the MVC Antiforgery system (described here). Consider a simple app which posts todos to /Todo/Create. The corresponding action method has the ValidateAntiForgeryToken attribute. Consider the following client workflow: User A logs on and goes to the page to create a todo, but doesn't do it yet....

Unable to decrypt CSRF/XSRF token in Laravel sent through Angular

php,angularjs,laravel,csrf
I am using the angularavel setup for my app. On my local setup i do not need to explicitly send the XSRF-TOKEN with the angular http request. And it works fine with laravel. I uploaded the same setup on the server and tried to login using my form and laravel...

Android RestTemplate 403 Expected CSRF token not found

android,spring,csrf,http-status-code-403,resttemplate
I use spring android to connect my android app to a web service made by Spring MVC and Spring security. this is code snippet that connect to web service: RestTemplate restTemplate = new RestTemplate(); restTemplate.getMessageConverters().add(new GsonHttpMessageConverter()); restTemplate.getMessageConverters().add(new StringHttpMessageConverter()); String token = getToken(context); HttpHeaders httpHeader = new HttpHeaders(); httpHeader.add(RestTemplateHelper.CSRF_TOKEN_HEADER, token); httpHeader.setContentType(MediaType.APPLICATION_JSON);...

Flask-wtf: csrf_token is removed from session before I can POST my form

python,ajax,flask,csrf,flask-wtforms
I'm using Flask with Flask-Security (specifically Flask-WTF regarding my csrf issue) to "ease" the process of register/loggin users (not easy so far). I'm using BackboneJS on the front-end, therefore I kind of hacked the original way to use Flask-WTF. Indeed, I make an AJAX GET request on /register to get...

Are anti-forgery tokens necessary on a login page?

security,web,login,csrf,antiforgerytoken
I keep seeing code samples which place anti-forgery tokens on standard username/password login pages. Even the Asp.Net web project template does it. Why? The only system state that is changed is the user's login status, and in order to even make that happen the attacker would need their username and...

Django 1.6 CSRF 403 errors

google-chrome,cookies,csrf,django-1.6
I have a site that is running Django 1.6.10. Recently some of our admins had trouble logging in and were getting the CSRF 403 error page. They had to delete all their cookies for the site to be able to login again. This led me to wonder if it was...

Yii 2.0 CSRF validation for AJAX request

php,yii2,csrf
I have an ajax function that triggers an entry deletion from my database. I need to do CSRF validation for the same. How can I do that? I am sending the CSRF cookie along with my post request, but Yii 2.0 is not validating it and any input that is...

Session Id placement: Form Hidden Field vs. HTTPOnly Cookie

security,session,cookies,xss,csrf
What is adv & dis-Adv of placing Session Id in form or cookie? Is it correct to put CSRF-Tag in form hidden field and Session Id in httpOnly cookie?(Most Secure) I'm newbie in security...

Multiple Django sites on the same domain - CSRF fails

django,cookies,csrf,django-csrf,csrf-protection
I have two applications running on the same domain on different ports, both using csrf middleware. When I log-in in one of the applications all POST submits from the other fail - I presume because the SESSION_COOKIE_DOMAIN is the same. I tried changing SESSION_COOKIE_NAME, however the 'csrftoken' cookie is used...

Is Encrypted Token Pattern CSRF protection immune to BREACH attack?

webforms,csrf,csrf-protection
OWASP's Encrypted Token Pattern is a CSRF protection solution, where the token value is a function of time. Would this mean that Encrypted Token Pattern has a built in BREACH attack protection?

Sending an email with Django; CSRF token missing or incorrect

python,django,email,csrf
I'm having some issues with CSRF tokens in my Django project. What I am trying to do is allow a user to send a file to a specific email address using a form on my website. The issue is the proverbial "CSRF token missing or incorrect". I've sifted through a...

How to include the CSRF token in the headers in Dropzone upload request?

javascript,laravel-5,csrf,dropzone.js
I am working on a single page application and I am using Laravel 5 for the web service. All forms are submitted asynchronously and I use a beforeSend on them to attach the CSRF token which I take from the meta tag like so: $.ajax({ url: '/whatever/route', type: 'POST', dataType:...

CSRF in a PHP/Yii project

php,security,yii,csrf
I have a yii (php) project and now I want to test, if it is safe against csrf attacks. The code looks like this: if (!Yii::app()->request->isAjaxRequest)){ die("error"); } else { // Do stuff } Now, if I call the URL in Firebug, It works ("Do stuff" is executed). $.get("example.com/foo", function(data){...

Risk of using a persitent XSRF-TOKEN cookie in Angular

javascript,angularjs,security,csrf
This is related to this question CSRF Protection for Refresh Token Cookie in SPA I want to use the recommended XSRF-TOKEN cookie mechanism to protect another HttpOnly cookie. For this scenario I need to make the XSRF-TOKEN cookie persitent, because it has to be available at app start up after...

Listen for and receive payload from github webhook in Python/Django

django,post,github,django-views,csrf
My problem is very much like the one here: How do I receive Github Webhooks in Python The difference is, I am sure about my framework, that being Django. I have been able to register webhook for a particular repository, and did port forwarded using ngrok. The Payload delivered gets...

Does AntiForgeryToken requires session state?

asp.net,.net,asp.net-mvc,csrf
I don't use session, so I removed it together with all HTTP modules I don't need. I sometimes get this error: System.Web.Mvc.HttpAntiForgeryException: The anti-forgery token could not be decrypted. If this application is hosted by a Web Farm or cluster, ensure that all machines are running the same version of...

PEAR QuickForm2 CSRF Protection

csrf,pear,quickform
I was looking for a way to ensure CSRF-Protection in my Quickform2. I found this link but it's for QuickForm1. Any ideas how I can adapt this to QF2? Thanks, Ron...

Will a cross site XMLHTTPRequest ever re-use credentials?

javascript,xmlhttprequest,csrf,http-basic-authentication
There is an open source daemon that has a JSON API. This daemon forces the use of basic HTTP authentication. I'm considering submitting a PR to always send the Access-Control-Allow-Origin: * header to allow the API to be consumed by other webpages, but I want to ensure it doesn't present...

Persistent CSRF Token Rejection in Rails App

ruby-on-rails,devise,csrf
I'm using Devise for authentication in a Rails 4.2 app. Most of the users are not having any issues logging in and getting their work done, but there is one user in particular that appears to consistently have a bad CSRF token and can't log in. Of course, the following...

Submit angular form to django backend with CSRF_COOKIE_HTTPONLY = True

angularjs,django,csrf,django-csrf
I have an angular form that I want to submit via post request to my django backend. Regular wisdom for this is to use the following trick on your angluar app: angularApp.config(['$httpProvider', function ($httpProvider) { $httpProvider.defaults.xsrfCookieName = 'csrftoken'; $httpProvider.defaults.xsrfHeaderName = 'X-CSRFToken'; }]); However, this requires your cookies are javascript accessible....

Spring security CSRF CORS

angularjs,rest,spring-security,cors,csrf
Problem Statement: I have some restful APIs which are CSRF protected using spring security. Also, these APIs will be accessed from different Origin/domain by Angular WEB UI. I don't need Spring Authentication as authentication is handled by Siteminder. Approach: I followed this link from from Dave Syer for CSRF protection...

Dropbox API no longer working, CSRF mismatch

php,dropbox,csrf,dropbox-api,dropbox-php
I use the Dropbox PHP SDK. Everything was working fine and suddenly the authentication process no longer works while no changes have been made to the code in this area. I receive the error 'CSRF Mismatch'. When looking at all CSRF tokens in the URL all seems to be correct:...

How to check a token (CSRF) on controller?

php,laravel,laravel-4,csrf
There is some option on Laravel that we allow Laravel to create a token and test it on server side to pull up CSRF attacks. I found this on Laravel website, But didn't say how to check from Controller that is an attack or from a native and real page....

Is CORS protection ( Same origin policy ) reliable?

http,cors,csrf
I have anti-crsf mechanism in my applications but I wonder, is it really necessary? Can I rely solely on same origin policy to protect my users from cross site resource forging attacks?

Django CSRF cookie not set error if there is cookie value starting with square brackets '['

python,django,cookies,csrf,django-csrf
I have a django site that is hosted on xyz.mysite.com. Parent site mysite.com which I do not own or control sets up a cookie with value [XX]v3|[XXX]. This causes my site to return the error CSRF cookie not set. This happened because django/middleware/csrf.py csrf_token value is set to none when...

Can certain URLs be exempt from CSRF in sails.js?

javascript,sails.js,csrf,stripe-payments
I'm setting up Stripe to work with my sails.js server, and in order to use Stripe's webhooks, I need to disable CSRF for the URLs I provide to Stripe. Is it possible to make certain URLs exempt from CSRF POST requirements in sails.js? The only configuration I can find for...

Risks with protect_from_forgery :except => [:new] in rails 4.2.0 app

ruby-on-rails,ruby-on-rails-4,csrf
After upgrading from 3.2 to rails 4.2.0, the ajax call to create a new log caused exception in integration spec: Failure/Error: click_link 'New Log' ActionController::InvalidCrossOriginRequest: Security warning: an embedded <script> tag on another site requested protected JavaScript. If you know what you're doing, go ahead and disable forgery protection on...

Laravel 5 CSRF global token hidden field for all forms in a page

laravel,csrf
I recently migrated to Laravel 5, and now CSRF check is on every post submission. I thought about removing it but I want to follow the best practices, so I'll keep it that way. On the other hand, I'm problems submitting ajax requests.. my page has multiple forms and some...