csrf | 易学教程

Flask-WTF CSRF validation fails when app moved to docker production environment

阅读更多关于 Flask-WTF CSRF validation fails when app moved to docker production environment

问题 I just set up my production environment for the Flask app I've been developing. This stack is: Windows Server 2012 R2 Hyper-V VM - Running Ubuntu 14.04 Docker 1.5 - Running Containers: mysql 5.6 nginx 1.6.3 uwsgi 2.0.10 So basically I have a static IP set up in Ubuntu, port 80 getting forwarded to the nginx container, a data volume shared between the nginx and uwsgi containers for a socket file, and finally a link between the mysql container and the uwsgi container for database communication.

Laravel 5: POST whithout CSRF checking

阅读更多关于 Laravel 5: POST whithout CSRF checking

问题 It seems that Laravel 5 by default applies the CSRF filter to all non-get requests. This is OK for a form POST, but might be a problem to an API that POSTs DELETEs etc. Simple Question: How can I set a POST route with no CSRF protection? 回答1: Go to app/Http/Middleware/VerifyCsrfToken.php and then enter your routes(for which you want to disable csrf token) in the $except array. for example: class VerifyCsrfToken extends BaseVerifier { protected $except = [ '/register' ]; } 回答2: You can exclude

Laravel 5: POST whithout CSRF checking

阅读更多关于 Laravel 5: POST whithout CSRF checking

CSRF 攻击

阅读更多关于 CSRF 攻击

一.CSRF是什么？　　CSRF（Cross-site request forgery），中文名称：跨站请求伪造，也被称为：one click attack/session riding，缩写为：CSRF/XSRF。二.CSRF可以做什么？　　你这可以这么理解CSRF攻击：攻击者盗用了你的身份，以你的名义发送恶意请求。CSRF能够做的事情包括：以你名义发送邮件，发消息，盗取你的账号，甚至于购买商品，虚拟货币转账......造成的问题包括：个人隐私泄露以及财产安全。三.CSRF漏洞现状　　CSRF这种攻击方式在2000年已经被国外的安全人员提出，但在国内，直到06年才开始被关注，08年，国内外的多个大型社区和交互网站分别爆出CSRF漏洞，如：NYTimes.com（纽约时报）、Metafilter（一个大型的BLOG网站），YouTube和百度HI......而现在，互联网上的许多站点仍对此毫无防备，以至于安全业界称CSRF为“沉睡的巨人”。四.CSRF的原理　　下图简单阐述了CSRF攻击的思想：　　　　从上图可以看出，要完成一次CSRF攻击，受害者必须依次完成两个步骤：　　1. 登录受信任网站A，并在本地生成Cookie。　　2. 在不登出A的情况下，访问危险网站B。　　看到这里，你也许会说：“ 如果我不满足以上两个条件中的一个

How long should the lifetime of a CSRF token be?

阅读更多关于 How long should the lifetime of a CSRF token be?

问题 Should I have short lifetime for my CSRF token or can I have it last for the length of the session? 回答1: A CSRF token is not an access token and does not have a lifetime like bearer tokens do. They are generated using session information. csrf_token = HMAC(session_token, application_secret) CSRF adds additional information to your requests that lets the server verify the requests comes from an authorized location. It only affects requests where the authorization info is sent automatically by

GET request (no JSON) Can't verify CSRF token authenticity with Devise 3.2.4 on Rails 4.1

阅读更多关于 GET request (no JSON) Can't verify CSRF token authenticity with Devise 3.2.4 on Rails 4.1

问题 All I a sudden I can no longer login to my app production environment on heroku. Or, if I do get in, as soon as I click a new link I get redirected to the login screen where I start seeing errors if I try and login again. The logs are as follows (this was in the case of login, redirect back to login and then login again). My applications layout includes CSRF_meta_tags !!! %html %head %title= full_title(yield(:title)) = include_gon(:init => true) = stylesheet_link_tag "application", media:

Django 403 forbidden when sending Post-requests from Angular only when user is logged on

阅读更多关于 Django 403 forbidden when sending Post-requests from Angular only when user is logged on

问题 I've created a back-end Django application and am currently working on hooking up an Angular front-end that requests data from API's set up using Django rest framework and have run into the problem that my logged in users (in the back-end, them being logged in on the front-end doesn't matter) get 403 on all post-requests to the API. Which I figure is because of the CSRF protection in Django. I have look at a thread that tackled this exact problem for this and have attempted to implement the

CSURF Angular Implementation

阅读更多关于 CSURF Angular Implementation

问题 I have been trying to do a csurf implementation on a personal project I have been working on. I have been searching google all over the place to try to figure out how to implement csurf on a form when I am not using a templating engine like Jade or EJS. My express server is also not directly rendering the pages but is mainly returning JSON. I have all of my front end being referenced like so app.use(express.static(__dirname + '/www')); my server code that is using the csurf looks like this

Testing scala Play (2.2.1) controllers with CSRF protection

阅读更多关于 Testing scala Play (2.2.1) controllers with CSRF protection

问题 I've been having some problems testing controllers that use Play's CSRF protection. To demonstrate this, I've created a very simple Play application that minimally exhibits the problem. https://github.com/adamnfish/csrftest The full details are on the README of that repository, but to summarise here: Consider a controller that is designed to handle a form submission. It has a GET method that uses CSRFAddToken and a POST method that uses CSRFCheck. The former adds a CSRF Token to the request

Rails 3 AJAX request authenticity token ignored

阅读更多关于 Rails 3 AJAX request authenticity token ignored

问题 Rails seems to be ignoring authenticity tokens for AJAX requests. For instance, I purposely changed my AJAX call to test this with an invalid token and requests seem to go through normally. The application has the default configuration to use session cookie store and has the protect_from_forgery call in the ApplicationController. Any ideas what else I could be missing? 回答1: EDIT >> I posted this answer in a blog post as well: http://zadasnotes.blogspot.com/2010/11/rails-3-forgery-csrf