csrf

CSRF token generation

廉价感情. 提交于 2019-12-28 07:39:23
问题 This is a question about generating CSRF tokens. Usually I'd like to generate a token based off of a unique piece of data associated with the user's session, and hashed and salted with a secret key. My question is in regards to generating tokens when there is NO unique user data to use. No sessions are available, cookies are not an option, IP address and things of that nature are not reliable. Is there any reason why I cannot include the string to hash as part of the request as well? Example

Is this a secure way to prevent Cross-site Request Forgery (CSRF) attacks?

此生再无相见时 提交于 2019-12-28 06:51:29
问题 Our app is thus: Every user must login login page posts back to server and if an authorized user a SPA app is returned. SPA app is totally AJAX HTTPS Normally we would send a sessionid cookie and a csrftoken cookie. The token cookie value would get included as an x-header on any AJAX posts and everything verified on the server on each request. As the SPA page is built before returning it to the browser we can embed whatever we like in it. We'd like the end user to be able to log in on

Django之cookie与session、中间件

旧巷老猫 提交于 2019-12-28 01:05:01
目录 cookie与session 为什么会有cookie和session cookie 设置cookie 获取cookie 删除cookie 实例:cookie版登录校验 session 设置session 获取session 删除session session也可以设置超时时间 实例:session版登录校验 django中间件 应用场景 自定义方法 django请求生命周期流程图 中间件之前端操作 跨站请求伪造(csrf) 钓鱼网站实例 防钓鱼网站策略 CBV加装饰器 csrf_exempt 两种装饰方式 其他装饰器 三种装饰方式 每日面试题 python2和python3的区别(至少写三个) 什么是可变,什么是不可变 m=10,n=5,互换值(至少两种方式) cookie与session 为什么会有cookie和session 由于HTTP协议是无状态的,无法记住用户是谁,这样我们在每一次登陆的时候,都要重新输入密码,甚至如果不设置cookie,网页可能都请求不了 cookie 保存在 客户端 浏览器上的键值对 是 服务端 设置在 客户端 浏览器上的键值对,也就意味着浏览器其实可以拒绝服务端的命令。默认情况下,浏览器都是直接让服务端设置键值对的 在操作开始之前我们需要对三板斧进行变形 obj1 = HttpResponse() return obj1 obj2 =

CSRF protection: do we have to generate a token for every form?

三世轮回 提交于 2019-12-27 20:07:57
问题 Do we have to generate a token, for every form in a website? I mean, every-time to generate different token for every requested form? If not, why? 回答1: In general, it suffices to have just one token per session, a so called per-session token : In general, developers need only generate this token once for the current session. After initial generation of this token, the value is stored in the session and is utilized for each subsequent request until the session expires. If you want to further

Disable CSRF validation for individual actions in Yii2

£可爱£侵袭症+ 提交于 2019-12-27 17:30:50
问题 Is there a way to disable CSRF validation for some actions of the controller keeping it enabled for the other ones? In my case I have several configurable Action classes, that are intended to be injected into controllers. I can't pass csrf validation token into the AJAX request because the thing I'm working with is external (made not by me) WYSIWYG plugin at the frontend. Yes, I can still disable csrf validation of the whole controller using these actions, but it may be insecure. 回答1: For the

Laravel关闭CSRF功能的两种方法

半城伤御伤魂 提交于 2019-12-27 00:24:36
Laravel提交表单时会抛出以下异常: TokenMismatchException in VerifyCsrfToken.php line 68 : 这是由于Laravel默认开启了CSRF功能导致的,具体解决方法: 方法一:将token值传递过去 表单提交时: <form action="photo/12" method="post"> <?php echo method_field('PUT'); ?> <?php echo csrf_field(); ?> <input type="submit" name="提交" /> </form> 使用ajax提交时: <meta name="csrf-token" content="{{ csrf_token() }}"> $.ajaxSetup({ headers: { 'X-CSRF-TOKEN': $('meta[name="csrf-token"]').attr('content') } });  方法二:从 CSRF 保护中排除指定 URL 比如所访问的URL为http://laravel.com/photo/12,现在想排除关于photo资源的路由,则在App\Http\Middleware\VerifyCsrfToken::class中添加路由如下: protected $except = [ 'photo',

DVWA笔记之三:CSRF

浪子不回头ぞ 提交于 2019-12-26 18:53:57
CSRF与XSS不同,它称为跨站请求伪造,它是利用其他页面的恶意脚本来加载访问或操作存在CSRF的漏洞的可信网站。 1.Low级别 核心代码如下: <?php if( isset( $_GET [ 'Login' ] ) ) { // Get username $user = $_GET [ 'username' ]; // Get password $pass = $_GET [ 'password' ]; $pass = md5 ( $pass ); // Check the database $query = "SELECT * FROM `users` WHERE user = ' $user ' AND password = ' $pass ';" ; $result = mysqli_query ( $GLOBALS [ "___mysqli_ston" ], $query ) or die( '<pre>' . (( is_object ( $GLOBALS [ "___mysqli_ston" ])) ? mysqli_error ( $GLOBALS [ "___mysqli_ston" ]) : (( $___mysqli_res = mysqli_connect_error ()) ? $___mysqli_res : false )) . '</pre>'

PHP Session conflicts with AJAX

本小妞迷上赌 提交于 2019-12-25 14:23:06
问题 code speaks a thousand words page.php?id=123 <?php if(is_ajax()){// function that determines whether the request is from ajax (http header stuff) $_SESSION['token'] = md5(rand()); } //some ajax request to ajax.php?id=123 ?> ajax.php?id=123 <?php if($_SESSION['token'] == $_GET['token']){ echo 'Tell me this is for reall'; }else{ echo 'Invalid Request'; } ?> Every thing works fine until the user opens page.php?id=456 on another tab, the ajax returns 'invalid request' on page.php?id=123 How to

How to get CSRF token from mobile apps when CSRF_USE_SESSIONS is True ? (Django 1.11)

余生颓废 提交于 2019-12-25 10:25:11
问题 Good evening everybody, As a student group, we are developing an API using Django 1.11.2 and we would like to consume our API from mobile apps (such as Android applications). Currently, we are struggling getting the CSRF token from mobile applications, here's the background : We are using CSRF_USE_SESSIONS = True. From what I understand from the Django CSRF documentation, the token is stored in the session instead of a cookie. We are using the SessionMiddleware in which the SESSION_ENGINE is

Using CSRF in Laravel

旧时模样 提交于 2019-12-25 07:03:37
问题 Here is my CSRF as hidden <input type="hidden" name="_token" value="<?php echo csrf_token(); ?>"> And my csrf is generated as usual While i am passing into route for a controller Here is my old route Route::post('register', 'RegisterController@registeruser'); And to make it with csrf Route::post('register', array('before' => 'csrf', function() { return 'You gave a valid CSRF token!'; })); as per the Laravel Docs While i routing it to the controller Route::post('register', array('before' =>
订阅 csrf