csrf

One token vs. multiple tokens to prevent CSRF attacks

蹲街弑〆低调 提交于 2019-12-21 05:03:58
问题 I'm using Codeigniter and I want to prevent CSRF attacks attempts that may happen. And to achieve this I add a hidden input tag with a random token to each form I want to protect, and in the same time I keep this token in a session to compare against when begin handling this form data. // set a token to prevent CSRF attacks $csrf_token = md5(uniqid(rand(), true)); $this->session->set_userdata("csrf_token", $csrf_token); And the form will look like this: <form action="path/to/handler/page"

Ruby on Rails Devise Oauth-facebook OmniAuth::Strategies::OAuth2::CallbackError

和自甴很熟 提交于 2019-12-21 04:49:11
问题 Im implementing oauth login with facebook and devise and When returning from accepting the app (the popup) i get the following error: Could not authenticate you from Facebook because "Csrf detected". this is the log: Started GET "/users/auth/facebook/callback" for 127.0.0.1 at 2014-01-23 23:59:58 +0100 ActiveRecord::SchemaMigration Load (0.3ms) SELECT "schema_migrations".* FROM "schema_migrations" (facebook) Callback phase initiated. (facebook) Authentication failure! csrf_detected: OmniAuth:

How to convert a Django HttpResponse to a Django render call

荒凉一梦 提交于 2019-12-21 04:31:21
问题 I have the following code def ajax_login_request(request): try: request.POST[u'login'] dictionary = request.POST except: dictionary = request.GET user = authenticate(username = dictionary[u'login'], password = dictionary[u'password']) if user and user.is_active: login(request, user) result = True else: result = False response = HttpResponse(json.dumps(result), mimetype = u'application/json') return response which is being called via ajax. I'm a noob and this is from an example in a book.

ASP.NET MVC - CSRF on a GET request

僤鯓⒐⒋嵵緔 提交于 2019-12-21 03:42:05
问题 We have a ASP.NET MVC application. All the POST requests (form submits) have been protected from CSRF by using @Html.AntiForgeryToken and ValidateAntiForgeryToken attribute. One of the action methods on a controller is a GET which returns a report to the user (a pdf file with data from database). The signature is: [AcceptVerbs(HttpVerbs.Get)] public ActionResult GetReport() { // get data from db return GetReport(); } Here are the steps I am following to test the CSRF against this operation:

AJAX安全

人走茶凉 提交于 2019-12-21 03:11:33
AJAX 三问 ajax请求真的不安全吗,为什么后端总是让使用普通HTTP请求? ajax请求哪里不安全? 怎样让ajax请求更安全? 目录 常见的web前端安全问题 CSRF简介 CSRF和ajax的关系 XSS简介 XSS和ajax关系 SQL注入 SQL和ajax关系 ajax和HTTP区别 cors 和ajax安全性之间的关系 首先解决问题:ajax真的不安全吗?哪里不安全?如何更安全? 在Web应用中, 客户端输入不可信 是一个基本原则。 如果某个Web应用具备良好的安全性,那么再怎么用“不安全的AJAX”也削弱不了它的安全性,反之如果应用本身存在漏洞,不管用何种技术请求,它都是不安全的。 web常见安全问题: 1.XSS(跨站脚本攻击) -> 伪造会话(基于XSS实现CSRF) ->劫持cookie ->恶意代码执行 2.CSRF(跨站请求伪造) ->伪造用户身份操作 3.SQL注入 CSRF简介 CSRF 冒用用户身份,进行恶意操作 采用cookie来进行用户校验 登录受信任网站A,并在本地生成Cookie 在不登出A的情况下,访问危险网站B 如下图: 一般在(4)处恶意网站(B)的攻击手段如下(必须是指向A的地址,否则无法带上cookie): // 1.譬如在网站内的图片资源中潜入恶意的转账操作 <img src=http://www.bank.example

How to fetch and reuse the CSRF token using Postman Rest Client

折月煮酒 提交于 2019-12-21 03:01:22
问题 I am using Postman Rest client for hitting the rest services. I am getting the following error when I try to execute the rest service from Postman client. HTTP Status 403 - Cross-site request forgery verification failed. Request aborted. It appears that the rest services are secured by the implementation of CSRF token. Does anybody has any idea about how to fetch the CSRF token and reuse it for future requests? 回答1: There are several ways to protect against CSRF in an application. Depending

Is worrying about XSS,CSRF,sql injection, cookie stealing enough to cover web-security?

故事扮演 提交于 2019-12-20 23:20:14
问题 Web applications on uncompromised computers are vulnerable to XSS,CRSF,sql injection attacks and cookie stealing in unsecure wifi environments. To prevent those security issues there are the folowing remedies sql injection: a good datamapper(like linq-to-sql) does not have the risk of sql injection (am i naïeve to believe this?) CSRF: Every form-post is verified with the <%:Html.AntiForgeryToken() %> (this is a token in a asp.net mvc environment that is stored in a cookie and verified on the

How to configure Spring Security to send 'X-CSRF-TOKEN'?

旧街凉风 提交于 2019-12-20 18:45:11
问题 The problem is to get the CSRF tokens working between Spring Security and Angular. Spring Security CSRF Token Interceptor for Angular seems like something that should do the job, but there is no 'X-CSRF-TOKEN' in the HEAD response from the server. My current tiny implementation is available in GitHub (Tag v.1.0 ) and I would appreciate a lot if somebody who knows the topic would have a quick look on the code, the problem should be easy to spot. Based on the documentation, I am under the

FOSUserBundle & REST Api Call: How to use custom FormType?

南楼画角 提交于 2019-12-20 17:36:09
问题 I am using FOSUserBundle on my Symfony2 Website. Now I am working on an API to allow registration over a REST api call. I have overridden the RegistrationController of FOSUserBundle: ApiRegistrationController.php: /** * @Route("/user/", defaults = { "_format" = "json" }, requirements = { "_method" = "POST" }) * */ public function registerAction(Request $request) { [...] $form = $formFactory->createForm(new ApiRegistrationFormType(), $user); [...] } ApiRegistrationFormType.php: /** * @param

How to csrf_token protection in jinja2 template engine?

故事扮演 提交于 2019-12-20 16:30:12
问题 In Django template I used: <form action="/user" method="post">{% csrf_token %} {{ form.as_p|safe }} <input type="submit" value="Submit" /> </form> But error when I change to jinja2 template engine : Encountered unknown tag 'csrf_token' My question: csrf_token protection in jinja2 is required? If required, how to do this? Thanks in advance! 回答1: It seems Jinja2 works differently: Use <input type="hidden" name="csrfmiddlewaretoken" value="{{ csrf_token }}"> where in Django templates you use {%
订阅 csrf