csrf

问题 I'm using angular 1.0.4 with an ASP.NET MVC4 + Web API project. I'm trying to leverage angular's CSRF protection to no avail. I can see that I'm passing along a cookie named XSRF-TOKEN, but when angular tries to add the value as a header named X-XSRF-TOKEN in the response, the value appears as undefined. I tried following the advice here, but the HTML has yet to render, so no element is found. What might I be missing? Is the RequestVerificationToken cookie generated by ASP.NET MVC protected

问题 Security. Today, no application can survive the internet if it does not have proper security programmed into it - either by the framework used by the developer, or by the developer himself. I am currently developing a RESTful API to work using Bearer token authentication but have been reading about XSS and CSRF attacks. Question 1) From what I've read, I see that applications consuming RESTful APIs that use token-based authentication are vulnerable to XSS and not CSRF if the token is stored

问题 How to prevent USER from doing automated posts/spam? Here is my way of doing it, new php session for each page request, which has its own limitations, no multitabing. I used new session for each page as defense against both CSRF and automated attacks. Lets say we have forum that uses AJAX to post threads and its validated by PHP SESSION. add_answer.php?id=123 <?php if(!is_ajax()){// function that determines whether the request is from ajax (http header stuff) $_SESSION['token'] = md5(rand());

问题 When use hidden field and when use header and why ? X-XSRF_TOKEN when we use? X-CSRF TOKEN when we use? 回答1: when you are submitting your data using ajax you will need headers for CSRF token because ajax will not send the token along with the data. You can use hidden field for ajax request with following code $.ajaxSetup( { headers: { 'X-CSRF-Token': $('input[name="_token"]').val() } }); but you will have to add hidden field for every ajax requests. The difference between the X-CSRF-TOKEN and

问题 Why does Play Framework use [a signed version of the session id] as Cross Site Request Forgery (XSRF/CSRF) prevention token, rather than the session ID itself? (With XSRF prevention token, I mean a magic value that must be included in a form submission, for the webapp to accept the form.) If there's an eavesdropper s/he'll find both the XSRF token and the SID cookie anyway (?). If there's an XSS exploit, then the malicious JavaScript code can read both the XSRF token and the SID cookie (?).

问题 I am leaning laravel framework, i have installed 5.0 version. i use it for json api service which will give JSON output after calling certain route. it works very well if i requrest URL from browser. but when i am trying to access from my android app it gives error that file not found exception (java.io.filenotfoundexception). after checking log i got point that laravel has error of Token Mismatch Exception. laravel need csrf token to access it resources. I have option that i can disable that

问题 The Django documentation on its CSRF protection states that: In addition, for HTTPS requests, strict referer checking is done by CsrfViewMiddleware. This is necessary to address a Man-In-The-Middle attack that is possible under HTTPS when using a session independent nonce, due to the fact that HTTP 'Set-Cookie' headers are (unfortunately) accepted by clients that are talking to a site under HTTPS. (Referer checking is not done for HTTP requests because the presence of the Referer header is

问题 I am using spring security along with java config @Override protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests() .antMatchers("/api/*").hasRole("ADMIN") .and() .addFilterAfter(new CsrfTokenResponseHeaderBindingFilter(), CsrfFilter.class) .exceptionHandling() .authenticationEntryPoint(restAuthenticationEntryPoint) .and() .formLogin() .successHandler(authenticationSuccessHandler) .failureHandler(new SimpleUrlAuthenticationFailureHandler()); I am using PostMan

问题 I am using spring security along with java config @Override protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests() .antMatchers("/api/*").hasRole("ADMIN") .and() .addFilterAfter(new CsrfTokenResponseHeaderBindingFilter(), CsrfFilter.class) .exceptionHandling() .authenticationEntryPoint(restAuthenticationEntryPoint) .and() .formLogin() .successHandler(authenticationSuccessHandler) .failureHandler(new SimpleUrlAuthenticationFailureHandler()); I am using PostMan

问题 I am using Spring Security 3.2.3 in my Spring MVC application and getting some unexpected behavior. According to the documentation here, it should be possible to use ${_csrf.token} in the meta tags of my html: <meta name="_csrf" content="${_csrf.token}" /> <!-- default header name is X-CSRF-TOKEN --> <meta name="_csrf_header" content="${_csrf.headerName}" /> From where I extract the value of "content" using JQuery and place it into the Request Header using AJAX. For some reason though, Spring