csrf

POST request done with Authenticity Token, but exception still rased

你离开我真会死。 提交于 2019-12-23 04:04:04
问题 My controller is responding to a js GET request, and in my js.erb file I am reporting back with the Fingerprint2 generated browser data of the users browser. This is done with a POST request, because of the large data string, so I have inserted a beforeSend method that adds the Authenticity Token. However, this is rejected with ActionController::InvalidAuthenticityToken - ActionController::InvalidAuthenticityToken . When I check, the header looks like it does in the GET requests that succeed:

Symfony2 The CSRF token is invalid. Please try to resubmit the form

梦想的初衷 提交于 2019-12-23 02:53:21
问题 I have a form that keeps getting the "The CSRF token is invalid. Please try to resubmit the form." I have been unable to find the cause. I know it is something simple. any help would be appreciated. In the controller I have this: public function settingsAction() { $request = $this->getRequest(); /* @var $user User */ $user = $this->get('security.context')->getToken(); $settingsForm = $this->createForm(new SettingsFormType(), array($user)); $billingForm = $this->createForm(new BillingFormType(

Django - 403 Forbidden. CSRF token missing or incorrect

痞子三分冷 提交于 2019-12-23 02:39:39
问题 I try to add ModelForm for my model, but every POST attempt ends with "403 Forbidden. CSRF verification failed. Request aborted. Reason given for failure: CSRF token missing or incorrect". I have no render_to_response() method, so I can't fix this problem by adding RequestContext. Here's my model: from django.db import models from django.forms import ModelForm . . . class Text(models.Model): title = models.CharField(max_length=200) content = models.TextField() def __str__(self): return self

Web安全之CSRF攻击的防御措施

折月煮酒 提交于 2019-12-23 02:15:27
Web安全之CSRF攻击的防御措施 CSRF是什么? Cross Site Request Forgery,中文是:跨站点请求伪造。 CSRF攻击者在用户已经登录目标网站之后,诱使用户访问一个攻击页面,利用目标网站对用户的信任,以用户身份在攻击页面对目标网站发起伪造用户操作的请求,达到攻击目的。 举个例子 简单版: 假如博客园有个加关注的GET接口,blogUserGuid参数很明显是关注人Id,如下: http://www.cnblogs.com/mvc/Follow/FollowBlogger.aspx?blogUserGuid=4e8c33d0-77fe-df11-ac81-842b2b196315 那我只需要在我的一篇博文内容里面写一个img标签: <img style="width:0;" src="http://www.cnblogs.com/mvc/Follow/FollowBlogger.aspx?blogUserGuid=4e8c33d0-77fe-df11-ac81-842b2b196315" /> 那么只要有人打开我这篇博文,那就会自动关注我。 升级版: 假如博客园还是有个加关注的接口,不过已经限制了只获取POST请求的数据。这个时候就做一个第三方的页面,但里面包含form提交代码,然后通过QQ、邮箱等社交工具传播,诱惑用户去打开,那打开过博客园的用户就中招了

Django on Apache with mod_wsgi CSRF Verification Failed

匆匆过客 提交于 2019-12-23 02:04:22
问题 I have a Django site on Apache with mod_wsgi. At first the admin page would return a 500 error, it started working after restarting Apache and such. But now when I go to log in I get a 403 with this message: CSRF verification failed. Request aborted. You are seeing this message because this site requires a CSRF cookie when submitting forms. This cookie is required for security reasons, to ensure that your browser is not being hijacked by third parties. If you have configured your browser to

CSRF issue while sending POST request from Angular 2 to Spring-backed Java app

人走茶凉 提交于 2019-12-23 01:36:17
问题 I have UI written with Angular 2 and Java based backend that uses OpenID Connect authentication on top of Spring Security . The authentication works fine but only for GET requests. I'm getting HTTP 403 every time I perform POST, PUT or DELETE methods on a resource: { "status": 403, "message": "Invalid CSRF Token 'null' was found on the request parameter '_csrf' or header 'X-CSRF-TOKEN'.", } I use HttpClient like this: http.post( '/api/my-resource', JSON.stringify(myObject), new RequestOptions

csrf与xss

烈酒焚心 提交于 2019-12-23 00:56:30
CSRF 攻击攻击原理及过程如下: 1. 用户C打开浏览器,访问受信任网站A,输入用户名和密码请求登录网站A; 2.在用户信息通过验证后,网站A产生Cookie信息并返回给浏览器,此时用户登录网站A成功,可以正常发送请求到网站A; 3. 用户未退出网站A之前,在同一浏览器中,打开一个TAB页访问网站B; 4. 网站B接收到用户请求后,返回一些攻击性代码,并发出一个请求要求访问第三方站点A; 5. 浏览器在接收到这些攻击性代码后,根据网站B的请求,在用户不知情的情况下携带Cookie信息,向网站A发出请求。网站A并不知道该请求其实是由B发起的,所以会根据用户C的Cookie信息以C的权限处理该请求,导致来自网站B的恶意代码被执行。 防御CSRF攻击: (1)验证 HTTP Referer 字段 (2)在请求地址中添加 token 并验证 (3)在 HTTP 头中自定义属性并验证 扩展:     SSRF(Server-Side Request Forgery:服务器端请求伪造) 是一种由攻击者构造形成由服务端发起请求的一个安全漏洞。一般情况下,SSRF攻击的目标是从外网无法访问的内部系统。(正是因为它是由服务端发起的,所以它能够 请求到与它相连而与外网隔离的内部系统)   SSRF 形成的原因大都是由于服务端提供了从其他服务器应用获取数据的功能且没有对目标地址做过滤与限制

Login with PHP curl and CSRF token

你说的曾经没有我的故事 提交于 2019-12-22 15:53:40
问题 I want login from a PHP script to another website but I always get this reply: 403 Error: CSRF token mismatch I extract the CSRF token from a hidden field on website but it seems it is wrong. This is my code: $username = "testuser"; $password = "testpass"; $path = "c:\\test\\"; $url="http://itw.me/login"; $field='_csrf'; $html=file_get_contents( $url ); libxml_use_internal_errors( true ); $dom=new DOMDocument; $dom->validateOnParse=false; $dom->recover=true; $dom->formatOutput=false; $dom-

Login with PHP curl and CSRF token

寵の児 提交于 2019-12-22 15:52:03
问题 I want login from a PHP script to another website but I always get this reply: 403 Error: CSRF token mismatch I extract the CSRF token from a hidden field on website but it seems it is wrong. This is my code: $username = "testuser"; $password = "testpass"; $path = "c:\\test\\"; $url="http://itw.me/login"; $field='_csrf'; $html=file_get_contents( $url ); libxml_use_internal_errors( true ); $dom=new DOMDocument; $dom->validateOnParse=false; $dom->recover=true; $dom->formatOutput=false; $dom-

Spring Security, Stateless REST service and CSRF

独自空忆成欢 提交于 2019-12-22 14:13:14
问题 I have a REST service, built using Java, Spring-boot and using Spring Security with Basic Access Authentication. There are no Views, no JSP etc, no 'login', just stateless services which can be called from a React app hosted separately. I've read a variety of documentation about CSRF protection, but can't decide whether I should be using spring-security CSRF config, or just disabling it? If I disable the csrf protection I can call the service with curl using my basic auth like this: curl -H
订阅 csrf