csrf

Does AntiForgeryToken in ASP.NET MVC prevent against all CSRF attacks?

人走茶凉 提交于 2019-12-29 20:42:11
问题 Using AntiForgeryToken requires each request to pass a valid token, so malicious web pages with simple script posting data to my web application won't succeed. But what if a malicious script will first make some simple GET request (by Ajax) in order to download the page containing the antiforgery token in a hidden input field, extracts it, and use it to make a valid POST? Is it possible, or am I missing something? 回答1: Yes, this is all you need to do. As long as you generate a new token on

Does AntiForgeryToken in ASP.NET MVC prevent against all CSRF attacks?

北城余情 提交于 2019-12-29 20:39:11
问题 Using AntiForgeryToken requires each request to pass a valid token, so malicious web pages with simple script posting data to my web application won't succeed. But what if a malicious script will first make some simple GET request (by Ajax) in order to download the page containing the antiforgery token in a hidden input field, extracts it, and use it to make a valid POST? Is it possible, or am I missing something? 回答1: Yes, this is all you need to do. As long as you generate a new token on

yii2框架-yii2局部关闭(开启)csrf的验证

烈酒焚心 提交于 2019-12-29 17:11:26
(1)全局使用,我们直接在配置文件中设置enableCookieValidation为true [php] view plain copy request => [ 'enableCookieValidation' => true, ] 如果不需要使用csrf的话,设置'enableCookieValidation' => false,但是这是不安全的,因此yii2的yii\web\request中的enableCookieValidation默认设置为true的,也就是默认开启csrf的,所以我们也可以不配置这个值,默认开启。 如果开启csrf,因为这是全局的,所以在任何的post请求都会要求认证,所以我们在post数据的时候,就必须设置csrf的数据隐藏在表单中。 [php] view plain copy <input name="_csrf-backend" type="hidden" id="_csrf" value="<?php echo Yii::$app->request->csrfToken ?>">(每个人定论的csrf的name属性不一样,请自己参考自己的项目) post数据的时候必须要把这个值post过去,这个值的产生<?= Yii::$app->request->csrfToken ?>,返回一个加密后的csrfToken。

Web安全相关(二):跨站请求伪造(CSRF/XSRF)

笑着哭i 提交于 2019-12-29 11:34:54
简介   CSRF(Cross-site request forgery跨站请求伪造,也被称为“One Click Attack”或者Session Riding,通常缩写为CSRF或者XSRF,是一种对网站的恶意利用。尽管听起来像跨站脚本(XSS),但它与XSS非常不同,并且攻击方式几乎相左。XSS利用站点内的信任用户,而CSRF则通过伪装来自受信任用户的请求来利用受信任的网站。与XSS攻击相比,CSRF攻击往往不大流行(因此对其进行防范的资源也相当稀少)和难以防范,所以被认为比XSS更具危险性。 场景 某程序员大神God在某在线银行Online Bank给他的朋友Friend转账。          转账后,出于好奇,大神God查看了网站的源文件,以及捕获到转账的请求。          大神God发现,这个网站没有做防止CSRF的措施,而且他自己也有一个有一定访问量的网站,于是,他计划在自己的网站上内嵌一个隐藏的Iframe伪造请求(每10s发送一次),来等待鱼儿Fish上钩,给自己转账。   网站源码: 1 <html> 2 <head> 3 <meta http-equiv="Content-Type" content="text/html; charset=gb2312" /> 4 <title></title> 5 </head> 6 <body> 7 <div> 8

External image vulnerabilities

我们两清 提交于 2019-12-29 07:42:27
问题 What security holes can appear on my site by including external images via img tag and how to avoid them? I'm currently only checking the extension and mime-type of image on submission (that can be changed after URL is submitted) and URL is sanitized before putting it in src attribute. 回答1: There's probably a differentiation to be made here between who is at risk. If all you're doing is storing URLs, and not uploading images to your server, then your site is probably safe, and any potential

ng2 get csrf token from cookie post it as header

无人久伴 提交于 2019-12-29 05:36:12
问题 After spending 2 full days searching the web and reading docs and tons of open questions of people facing the same problem, i still don't grasp how Angular 2 handles the (x-origin) cookies and how to access them. The problem: Back-end sends 2 cookies with x-csrf-token & JSESSIONID inside of it. My job is to keep the csrf token in memory (ng2) and send it (only) back as header (not cookie) with every post to the back-end. HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Access-Control-Allow-Origin:

how to include AntiForgeryToken in an ajax action link in mvc?

不想你离开。 提交于 2019-12-29 01:25:18
问题 I have the following code: @Ajax.ActionLink("Delete", "Delete", new { id = item.ID, RequestVerificationToken=*What comes here?*}, new AjaxOptions { HttpMethod = "POST", UpdateTargetId = "formsIndex" }) I want to add the verification token to the link without using javascript in client side, it seems like a redundant dependancy since i already own that value in server. Is there a proper way to do that? 回答1: From the MSDN documentation (my emphasis) HtmlHelper.AntiForgeryToken Method Generates

how to include AntiForgeryToken in an ajax action link in mvc?

血红的双手。 提交于 2019-12-29 01:25:08
问题 I have the following code: @Ajax.ActionLink("Delete", "Delete", new { id = item.ID, RequestVerificationToken=*What comes here?*}, new AjaxOptions { HttpMethod = "POST", UpdateTargetId = "formsIndex" }) I want to add the verification token to the link without using javascript in client side, it seems like a redundant dependancy since i already own that value in server. Is there a proper way to do that? 回答1: From the MSDN documentation (my emphasis) HtmlHelper.AntiForgeryToken Method Generates

Disable symfony 2 csrf token protection on ajax submit

久未见 提交于 2019-12-28 11:49:09
问题 i'm building a mobile app talking to my symfony2 app via webservices I can't find a way to disable csrf protection on a specific controller/action i want to post registration data to this action and use sf2 form validation. I do not call the form in my mobile app Can't change container parameters in action, throw an exception because it is a frozen parameter... I do not want to disable form protection for whole my application any clue ? thanks ! update: with symfony 2.1.x /** * {@inheritdoc}

Invalid CSRF Token 'null' was found on the request parameter '_csrf' or header 'X-CSRF-TOKEN'

≡放荡痞女 提交于 2019-12-28 08:04:21
问题 After configuring Spring Security 3.2, _csrf.token is not bound to a request or a session object. This is the spring security config: <http pattern="/login.jsp" security="none"/> <http> <intercept-url pattern="/**" access="ROLE_USER"/> <form-login login-page="/login.jsp" authentication-failure-url="/login.jsp?error=1" default-target-url="/index.jsp"/> <logout/> <csrf /> </http> <authentication-manager> <authentication-provider> <user-service> <user name="test" password="test" authorities=
订阅 csrf