csrf

CSRF token without cookies in PHP

无人久伴 提交于 2019-12-22 13:47:26
问题 I am looking for a way to add a CSRF token to an application I'm making. The caveat is, the application does not currently use cookies or sessions. I would love to find a way to introduce a CSRF token without having to: Introduce state in my application. Use session or cookie ( $_SESSION / $_COOKIE ) storage Is this at all a possibility, or am I stuck creating new state in my application. 回答1: You can, but it's not going to be very secure. Here's an example BUT DO NOT USE THIS, IT IS PROBABLY

Can certain URLs be exempt from CSRF in sails.js?

戏子无情 提交于 2019-12-22 11:17:16
问题 I'm setting up Stripe to work with my sails.js server, and in order to use Stripe's webhooks, I need to disable CSRF for the URLs I provide to Stripe. Is it possible to make certain URLs exempt from CSRF POST requirements in sails.js? The only configuration I can find for CSRF is to turn it on globally, and looking through the source code for the csrf hook (https://github.com/balderdashy/sails/blob/master/lib/hooks/csrf/index.js) it looks like if I try to provide a custom object, it just gets

Is Access-Control-Allow-Origin sufficient in preventing XSRF attacks?

落花浮王杯 提交于 2019-12-22 09:24:51
问题 We're building an app with a Java Spring/Hibernate backend running in JBoss. The frontend is AngularJS. We haven't yet done anything to setup XSRF tokens on the server end. We also don't (not yet anyway) have a requirement to allow other domains access to our web resources. I figured I'd try to see if our site was vulnerable to an XSRF attack so I set up a malicious webapp to post to one of our real app's urls using Angular's $http.post(). I logged in to the real app, then I tried posting

CSRF token missing or incorrect. Django + AngularJS

爱⌒轻易说出口 提交于 2019-12-22 08:03:42
问题 I'm getting CSRF token missing or incorrect error while doing a POST request to a remote django api from my localhost machine. My settings on AngularJS: .config(['$httpProvider', function($httpProvider){ $httpProvider.defaults.xsrfCookieName = 'csrftoken'; $httpProvider.defaults.xsrfHeaderName = 'X-CSRFToken'; }]); but im still getting the CSRF token missing or incorrect error. I check what headers are being sent and apparently angular is not sending HTTP_X_CSRFTOKEN . But I can see that the

Template-less Django + AJAX: Does Django's CSRF token get updated during the course of a browsing session?

女生的网名这么多〃 提交于 2019-12-22 07:54:30
问题 My current setup is AngularJS + Django 1.5 and I have completely thrown away the use of Django's template engine (ie. the backend is pretty much an API server). Since I am not using the csrf_token template tag, Django, in turn, does not set and send the csrftoken cookie in response. As instructed by the official docs, the ensure_csrf_cookie() decorator should be used to force the decorated view to send the csrftoken cookie. I have applied the ensure_csrf_cookie() decorator to the view, which

Template-less Django + AJAX: Does Django's CSRF token get updated during the course of a browsing session?

余生颓废 提交于 2019-12-22 07:53:44
问题 My current setup is AngularJS + Django 1.5 and I have completely thrown away the use of Django's template engine (ie. the backend is pretty much an API server). Since I am not using the csrf_token template tag, Django, in turn, does not set and send the csrftoken cookie in response. As instructed by the official docs, the ensure_csrf_cookie() decorator should be used to force the decorated view to send the csrftoken cookie. I have applied the ensure_csrf_cookie() decorator to the view, which

Template-less Django + AJAX: Does Django's CSRF token get updated during the course of a browsing session?

随声附和 提交于 2019-12-22 07:53:43
问题 My current setup is AngularJS + Django 1.5 and I have completely thrown away the use of Django's template engine (ie. the backend is pretty much an API server). Since I am not using the csrf_token template tag, Django, in turn, does not set and send the csrftoken cookie in response. As instructed by the official docs, the ensure_csrf_cookie() decorator should be used to force the decorated view to send the csrftoken cookie. I have applied the ensure_csrf_cookie() decorator to the view, which

Django 的 CSRF 保护机制

被刻印的时光 ゝ 提交于 2019-12-22 05:10:49
用 django 有多久,我跟 csrf 这个概念打交道就有久了。 每次初始化一个项目时都能看到 django.middleware.csrf.CsrfViewMiddleware 这个中间件 每次在模板里写 form 时都知道要加一个 {% csrf_token %} tag 每次发 ajax POST 请求,都需要加一个 X_CSRFTOKEN 的 header 但是一直我都是知其然而不知其所以然,没有把 csrf 的机制弄清楚。昨天稍微研究了一下,总结如下。 什么是 CSRF CSRF, Cross Site Request Forgery, 跨站点伪造请求。举例来讲,某个恶意的网站上有一个指向你的网站的链接,如果 某个用户已经登录到你的网站上了,那么当这个用户点击这个恶意网站上的那个链接时,就会向你的网站发来一个请求, 你的网站会以为这个请求是用户自己发来的,其实呢,这个请求是那个恶意网站伪造的。 具体的细节及其危害见 wikipedia Django 提供的 CSRF 防护机制 django 第一次响应来自某个客户端的请求时,会在服务器端随机生成一个 token,把这个 token 放在 cookie 里。然后每次 POST 请求都会带上这个 token, 这样就能避免被 CSRF 攻击。 在返回的 HTTP 响应的 cookie 里,django 会为你添加一个

Why is Rails giving me “Can't verify CSRF token authenticity” error?

蓝咒 提交于 2019-12-22 04:35:17
问题 I am getting a "Can't verify CSRF token authenticity" in Rails production. My questions are: Why is it doing this? How can I fix it? Here's my Heroku logs (some values anonymized): 2016-02-13T01:18:54.118956+00:00 heroku[router]: at=info method=POST path="/login" host=[MYURL] request_id=[ID STRING] fwd="FWDIP" dyno=web.1 connect=0ms service=6ms status=422 bytes=1783 2016-02-13T01:18:54.116581+00:00 app[web.1]: Started POST "/login" for [IPADDRESS] at 2016-02-13 01:18:54 +0000 2016-02-13T01:18

CSRFGuard - request token does not match session token

喜你入骨 提交于 2019-12-21 23:21:03
问题 I am trying to incorporate the CSRFGuard library in order to rectify some CSRF vulnerabilties in an application. However after configuring as specified here I am now getting the below messages in the log, when I navigate the application: WARNING: potential cross-site request forgery (CSRF) attack thwarted (user:<anonymous>, ip:169.xx.x.xxx, uri:/myapp/MyAction, error:request token does not match session token) Through including the: <script src="/sui/JavaScriptServlet"></script> On my main
订阅 csrf