csrf-protection

This question is more a re-insurance than one directly about how to code. As an autodidact i did not have a lot of possibilities to ask professionals such things, so i try here. I have read the documents in the django-docs ( https://docs.djangoproject.com/en/1.3/ref/contrib/csrf/ ) and some info on that page: http://cwe.mitre.org/top25/#CWE-352 As far as i have understood, django delivers a token (some kind of pin-code) to a user. And to verify it really is him, he has to return it the next time he does a request. And some guys at Google found out that this is even possible with ajax-requests,

I am trying to incorporate the CSRFGuard library in order to rectify some CSRF vulnerabilties in an application. However after configuring as specified here I am now getting the below messages in the log, when I navigate the application: WARNING: potential cross-site request forgery (CSRF) attack thwarted (user:<anonymous>, ip:169.xx.x.xxx, uri:/myapp/MyAction, error:request token does not match session token) Through including the: <script src="/sui/JavaScriptServlet"></script> On my main.jsp page the links have all been built incorporating the CSRFGuard token , e.g. ......./myapp/MyAction

I have a form using codeigniter brackets echo form_open('signup'); echo form_close(); and when i submit it i get the following error An Error Was Encountered The action you have requested is not allowed. NOT always but often... even when the hidden inputfield exist inside the form: <div style="display:none"> <input type="hidden" value="token name is here" name="csrf_token_name"> </div> this also happens on a similar form(signin) EDIT: html generated via form <form accept-charset="utf-8" method="post" action="http://www.example.com/signup"> <div style="display:none"> <input type="hidden" value=

since I've updated laravel to 5.4 I constantly get: TokenMismatchException in VerifyCsrfToken.php line 68 exception thrown. After some digging and reading through a whole lot of posts and github issues I've figured that my tokens aren't matching :). The point is that my laravel app sets the encrypted version of the token "XSRF-TOKEN" instead of its plain (X-CSRF-TOKEN) counterpart and the helper csrf_token() spits out the plain token hence mismatching tokens. Confusing though why documentation mentions X-XSRF-TOKEN when I get XSRF-TOKEN (missing X-) instead? So the questions are: Has the

I'm trying to build a form block for my liquid theme language. I have based my approach on this answer . How ever the answer seems to be incomplete. The problem is that protect from forgery and some other methods are unavailable. Causing an error: Liquid error: undefined method `protect_against_forgery?' for # This is my code: class LiquidFormTag < Liquid::Block include ActionView::Context include ActionView::Helpers::FormHelper def initialize(tag_name, markup, tokens) super end def render(context) form_tag("#") do super end end end Liquid::Template.register_tag('liquid_form', LiquidFormTag)

I wanna create via API jobs in Jenkins, but i can't connect couse of CSRF protection in Jenkins. I got a crumb but idk how to attach it to the url/request in JSON or JavaScript to get data pass by POST method. Any ideas? I wanna make it only with JS, without using JAVA. Thanks It should be easy enough. There are few things you are expected to do in order to get thru CSRF in Jenkins. #1 Fetch an actual CSRF crumb that is valid and for that you should use " /crumbIssuer " endpoint. AFAIK, this is a protected endpoint and therefore you should make an authenticated call to it using either API

Disclaimer: My question is somewhat similar to this question and this question , but I have tried all the answers suggested in those threads and already spent few days struggling with the problem. I am introducing Spring Security 3.2.6 in my existing application (JSP, Servlet only) and I am using Java configuration. My application will be used both by browsers and non-browser clients. I want all the browser requests to URLs (i.e. /webpages/webVersion/ and /webpages/webVersion2/ ) to be CSRF enabled and all the other requests to be CSRF disabled. Non-browser clients never access above two URLs,