csrf-protection

I am working on a tomcat application. I am trying to add CSRF authentication token provided by catlina library(org.apache.catalina.filters.CsrfPrevention). I have added filter to web.xml <filter> <filter-name>CsrfFilter</filter-name> <filter-class>org.apache.catalina.filters.CsrfPreventionFilter</filter-class> <init-param> <param-name>entryPoints</param-name> <param-value>/Login</param-value> </init-param> </filter> <filter-mapping> <filter-name>CsrfFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> Also I have updated the login.jsp <% String url = '/Login?x=true'; String

I had one doubt about CSRF prevention. A lot of sites say that CSRF can be prevented by using 'tokens' which are randomly generated per session. Now my doubt is, suppose i have a function like : $.post("abcd.php",{'fbuid':userid,'code':'<?php echo md5($_SESSION['randcode']); ?>'} now this md5 hash would obviously be visible to any hacker through the source code.He could simply open this page, generate a token, and keep the page open, so that the session doesn't get destroyed, and useanother tab or anything else , to start hacking, No ? Or is my idea of tokens incorrect ? Thanks for your help

Why laravel 5 csrf_token value is empty always ? How can i get that token value ? I tried, {!! csrf_token !!} , {{ csrf_token }} and {{ Form::open() }} ....{{ Form::close() }} MY OUTPUT <input type="hidden" name="_token"></input> Victor Hugo Avelar It's because you're not using the web group middleware. Laravel is smart enough to know that if you're not using that group a token is not necessary. Try moving your route inside the Route::group(['middleware' => 'web'] ... and tell us about it :) Source: I made the same mistake not too long ago. I stumbled across this post having spent the

I have a JSF-Spring integrated application. Spring security is also integrated in this application. These are the versions in my application: JSF 2.2 Spring 4.0.3.RELEASE Spring Security 3.2.4.RELEASE As per the JSF doc all the POST request in JSF2.x [or even old versions] will be CSRF protected. However I am able to penetrate my application with CSRF attack. I tried a different JSF2.2 only [no Spring] example application, in that case I can see this example application is CSRF protected. So my understanding is, the JSF/Spring /Spring security combination is giving issue in my original

How does one implement CSRFfilters in Play 2.5.4? The play documentation is wrong (doesn't compile, and can't under the play 2.5.4 java api), the example here doesn't compile ( Play 2.5 disable csrf protection for some requests ). the 2.5 java API has a CRSFFilter class but it is not a sub class of EssentialFilter so cannot be added to the array of EssentialFilters because it is the wrong type. Is this functionality currently broken for Play 2.5.4 or is the documentation currently misleading/wrong? This code works fine for me, Play 2.5.4 Java. Create app/Filters.java file and put this import

What is the difference between use X-CSRF-Token in header or token in hidden field ? When use hidden field and when use header and why? I think that X-CSRF-Token is when i'm using javascript/ajax but im not sure CSRF protection comes in a number of methods. The traditional way ( the "Synchronizer token" pattern ) usually involves setting a unique valid Token value for each request and then verifying that unique value when the request is subsequently sent in. It is usually done by setting a hidden form field. The token value is usually short lived and associated to that session, so if a hacker

I'm trying to write a site in Django where the API URLs are the same as user-facing URLs. But I'm having trouble with pages which use POST requests and CSRF protection. For example, if I have a page /foo/add I want to be able to send POST requests to it in two ways: As an end user (authenticated using a session cookie) submitting a form. This requires CSRF protection. As an API client (authenticated using a HTTP request header). This will fail if CSRF protection is enabled. I have found various ways of disabling CSRF, such as @csrf_exempt, but these all disable it for the entire view. Is there