csrf

django: csrf_token for multiple forms and ajax requests on a single page

空扰寡人 提交于 2019-12-24 11:34:19
问题 My website has a single page with 2 forms and 3 ajax-based POST calls. I have used csrf_token in one of the forms. Also, to be able to perform csrf-safe ajax calls, I am using the guidelines posted on the official documentation: https://docs.djangoproject.com/en/1.7/ref/contrib/csrf/ and this blog: https://realpython.com/blog/python/django-and-ajax-form-submissions/ As suggested, by using this peice of code https://gist.github.com/broinjc/db6e0ac214c355c887e5 in my javascript file, it seems I

Angular 2 Spring Security CSRF Token

一世执手 提交于 2019-12-24 11:18:53
问题 Hi Everyone I'm having trouble setting up a security solution for my app!! So I have a REST API Backend which runs at http://localhost:51030 and developed with Spring Framework, and for the front side I have an Angular 2 application (the latest version A.K.A. Angular 4) which runs at http://localhost:4200. I have set the CORS configuration in the backend as seen below: public class CORSFilter implements Filter { // The list of domains allowed to access the server private final List<String>

preventing cross site request forgery in the url

匆匆过客 提交于 2019-12-24 09:48:24
问题 I think I understand CSRF and how using form keys can prevent that, but this is can only be useful for POST data coming from a form, right? In my website I let logged in users delete some items by clicking on a Delete button which sends them to delete.php?id={item_id}. On delete.php I check if the item belongs to the user, if it does than the script deletes it. How can I stop some other site posting a link like www.mysite.com/delete.php?id=3. I understand that the attacker will have to guess

cURL: two seperate requests, same session

大憨熊 提交于 2019-12-24 09:13:51
问题 I have a script that downloads and displays an web page from an external site. The site generates a one-time token and stores it in a hidden form field, and puts the same token in the cookie it sends to the user. In my first cURL request, I store the cookie: $url = 'http://www.example.com/form.php'; $host = parse_url($url, PHP_URL_HOST); $referer = 'http://' . $host; $ip_address = $_SERVER['REMOTE_ADDR']; // Give the user a unique cookie file for each request $cookie_file = 'cookies/' . sha1(

Unregistered action (via custom module) leads to XSRF Attack Detected error

删除回忆录丶 提交于 2019-12-24 07:59:35
问题 In SugarCRM 8.0.1, I am trying to make a new, unregistered action work. The action is a form and has been added to my custom module. I am trying to reach it from itself in the following manner so that on form submission, the form-data is sent back to itself (aka, the action link leads back to the same page the form is on): <form method="POST" name="ConfigureSettings" action="#bwc/index.php?module=CustomModule&action=newAction"> Based on SugarCRM Support's Troubleshooting Cross-Site Forgery

Rails post can't verify CSRF token authenticity

假如想象 提交于 2019-12-24 00:35:26
问题 I've check this WARNING: Can't verify CSRF token authenticity rails but I still can't figure it out why it cause this error. Here is my ajax $.post( "<%= ajax_chats_path %>", {timestamp :(new Date()).getTime(),msg: $('#msg').val()}, function (json) { console.log(json); }); If I add this skip_before_action :verify_authenticity_token in controller, it can solve this problem. I am not sure it's the right way to do, because it looks like it may encounter some security attack. 回答1: You're missing

Apache OpenMeetings 4.0.4 CSRF attack when using apache2 as proxypass

狂风中的少年 提交于 2019-12-24 00:33:08
问题 I've got Apache OpenMeetings 4.0.4 witch Apache/2.2.22 as proxy. In OM's conf/red5.properties I've got http.port=8080 I want to do two things: Redirect HTTP (80) -> HTTPS (443) Redirect HTTP (8080) to HTTPS (443) My /etc/apache2/sites-avilable/default conf is: <VirtualHost *:80> ServerName domain.test-test.eu ServerAlias domain.test-test.eu RewriteEngine On RewriteCond %{HTTPS} off RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} </VirtualHost> <VirtualHost *:8080> ServerName domain.test

How to set CSRF token in angular page - OWASP CSRFGuard 3.0

☆樱花仙子☆ 提交于 2019-12-23 21:13:06
问题 I have used Spring MVC to build my restful services: http://localhost:8088/SpringRestCSRF/rest/rest/greeting I am using OWASP CSRFGuard 3.0 to protect these Restful services from CSRF. When accessing the same Rest service using a simple HTML - AJAX request - CSRF token is getting set and I am getting the response: Below code is working Fine. <!DOCTYPE html> <html> <head> <title>REST Service with CSRF Protection</title> <script src="https://ajax.googleapis.com/ajax/libs/jquery/1.10.2/jquery

浅谈CSRF攻击方式

一个人想着一个人 提交于 2019-12-23 17:55:24
一.CSRF是什么?   CSRF(Cross-site request forgery),中文名称:跨站请求伪造,也被称为:one click attack/session riding,缩写为:CSRF/XSRF。 二.CSRF可以做什么?   你这可以这么理解CSRF攻击: 攻击者盗用了你的身份,以你的名义发送恶意请求。CSRF能够做的事情包括:以你名义发送邮件,发消息,盗取你的账号,甚至于购买商品,虚拟货币转账......造成的问题包括:个人隐私泄露以及财产安全。 三.CSRF漏洞现状    CSRF这种攻击方式在2000年已经被国外的安全人员提出,但在国内,直到06年才开始被关注,08年,国内外的多个大型社区和交互网站分别 爆出CSRF漏洞,如:NYTimes.com(纽约时报)、Metafilter(一个大型的BLOG网站),YouTube和百度HI......而 现在,互联网上的许多站点仍对此毫无防备,以至于安全业界称CSRF为“沉睡的巨人”。 四.CSRF的原理   下图简单阐述了CSRF攻击的思想:      从上图可以看出,要完成一次CSRF攻击, 受害者必须依次完成两个步骤:   1. 登录受信任网站A,并在本地生成Cookie。   2. 在不登出A的情况下,访问危险网站B。   看到这里,你也许会说:“ 如果我不满足以上两个条件中的一个

Django CSRF for both HTTP and HTTPS

不打扰是莪最后的温柔 提交于 2019-12-23 17:54:34
问题 I have a blog that runs behind both HTTP and HTTPS and am running into issues with the csrf token verification. The CSRF token is available in each form as it should be, but when I'm on the HTTP version of the site and try to commit a comment I get the following error. Forbidden (403) CSRF verification failed. Request aborted. Referer checking failed - http://mysite.com/blog/1/ does not match https://mysite.com/. It works fine when viewing the blog via HTTPS. Anyone know how to get the
订阅 csrf