csrf

InvalidAuthenticityToken in Devise::SessionsController#destroy (sign out after already having signed out)

限于喜欢 提交于 2019-12-18 11:57:00
问题 I am using Devise 3.2.0 for authentication and found an issue when I do the following: tab 1: sign in to app tab 2: go to any page in the app tab 2: sign out (success) tab 1: sign out (failure - see exception below) Exception raised: ActionController::InvalidAuthenticityToken in Devise::SessionsController#destroy In the development log I see: Can't verify CSRF token authenticity And the top three lines of the stack trace are: ActionController::InvalidAuthenticityToken (ActionController:

How to use Zend Framework Form Hash (token) with AJAX

人走茶凉 提交于 2019-12-18 11:07:30
问题 I have included Zend_Form_Element_Hash into a form multiplecheckbox form. I have jQuery set to fire off an AJAX request when a checkbox is clicked, I pass the token with this AJAX request. The first AJAX request works great, but the subsequent ones fail. I suspect it may be once the token has been validated it is then removed from the session (hop = 1). What would be your plan of attack for securing a form with Zend Framework Hash yet using AJAX to complete some of these requests? 回答1: I

CSRF token mismatch in post request in 3.6 version

自作多情 提交于 2019-12-18 06:51:32
问题 I have two different apps of cakephp. One has a version 3.5 and other 3.6. When i used and built 3.5 app i did not have a problem of CSRF matching in post request. But now as i am using 3.6 it is giving me error of CSRF token. Although in both app's AppController , CSRF component is disable. //$this->loadComponent('Csrf'); i am using simple post request like this: $.ajax({ type: "POST", url: "../user/my_action", dataType: 'json', success: function (data) { set_data(data.response); } }); What

Laravel enable csrf protection on api middleware

こ雲淡風輕ζ 提交于 2019-12-18 05:56:12
问题 I'm working on Laravel 5.4 and my routes are in the api middleware I see that I need to transfer my routes to the web middleware, but I need them to be on the api middleware since I'm creating a RESTful api, any suggestions on how I could use csrf with api middleware? 回答1: CSRF protection prevents attacks using a previously authenticated user (normally setting a state using session) https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF). A restful API do not have state https://en

Express CSRF token validation

谁都会走 提交于 2019-12-18 04:52:56
问题 I'm having issues with CSRF tokens. When I submit a form, a new XSRF-TOKEN is being generated but I think I'm generating two different tokens, I'm kinda confused. There's also a token called _csrf , so I see two different cookies in developer tools (XSRF-TOKEN and _csrf), _csrf doesn't change after a post. What I want to do is to generate a new token for each post request and check whether it's valid or not. One thing I know that I should do it for security, but I stuck. It has been a long

Laravel 4: Prevent multiple form submissions - CSRF Token

旧城冷巷雨未停 提交于 2019-12-18 03:01:26
问题 Problem scenario: I'm creating a blog with Laravel 4. The form that's responsible for the creation of new blog posts is secured by the build in CSRF protection (Laravel Docs: CSRF Protection). Everything works fine so far, but it seems that laravel does not refresh the csrf token on every request. The problem that occurs is that if the user hits the back button of the browser to return to the submitted form, the entered data persists and the user is able to "re-submit" the form. This might

利用登录授权窃取你的令牌

别来无恙 提交于 2019-12-18 02:01:38
在2018年年中,Linode的Hackerone漏洞悬赏项目吸引了我,因为这个项目很活跃,管理得非常好,但很多漏洞细节并没有公开。我希望能找到漏洞,并对外公开某个漏洞细节。 Linode是一个VPS提供商,而用户购买的VPS将解析为 <id>.members.linode.com ,而这也给了我灵感,因为这基本上意味着我们能完全控制 linode.com 的子域,执行任何服务端脚本语言。 了解Linode的身份认证 Linode主要对外提供了4个Web应用: https://manager.linode.com 经典Linode网站 https://linode.com/community 社区门户 https://login.linode.com OAuth服务器 https://cloud.linode.com 新型Linode网站 当我们完全控制子域时,可以读取任何和 .linode.com (cookie被设置为通配符域)有关的cookie,我开始研究 [https://manager.linode.com](https://manager.linode.com) 中的session/CSRF的cookie,但所有cookie都正确地设置为only manager.linode.com ,然后我转移到另一个应用 [https://linode.com/community]

Why Same-origin policy isn't enough to prevent CSRF attacks?

柔情痞子 提交于 2019-12-17 21:46:27
问题 First of all, I assume a backend that control inputs to prevent XSS vulnerabilities. In this answer @Les Hazlewood explain how to protect the JWT in the client side. Assuming 100% TLS for all communication - both during and at all times after login - authenticating with username/password via basic authentication and receiving a JWT in exchange is a valid use case. This is almost exactly how one of OAuth 2's flows ('password grant') works. [...] You just set the Authorization header:

CSRF token missing or invalid Django

浪尽此生 提交于 2019-12-17 21:16:07
问题 I've run into this issue before and solved it, but this just popped up totally randomly (or so it seems). I've just come back to my Django project after a little while away from it...when logging in I forgot my web username and it gave me the appropriate error message Sorry, that's not a valid username or password . So to solve this I created a new superuser (since I had also forgot my admin username) so I could check what my web username was. I did that successfully, but now when I try to

How do I provide more security for checking source of the request

走远了吗. 提交于 2019-12-17 19:49:26
问题 I am developing one PHP web application, I want to provide more security to application so that no one can easily break the functionality. Brief explanation about my problem : In one module there is one stage where I am checking the source of the request ( from where this request is coming from ) Currently, I am using HTTP_REFERRER variable ( available in php ). I am checking this variable value with one specific URL (e.g. http://www.example.com/test.php ). If exact match exist then only I am
订阅 csrf