csrf | 易学教程

Running jasperserver behind nginx: Potential CSRF attack

阅读更多关于 Running jasperserver behind nginx: Potential CSRF attack

问题 We are using nginx for https traffic offloading, proxying to a locally installed jasperserver (5.2) running on port 8080. internet ---(https/443)---> nginx ---(http/8080)---> tomcat/jasperserver When accessing the jasperserver directly on its port everything is fine. When accessing the service through nginx some functionalities are broken (e.g. editing a user in the jasperserver UI) and the jasperserver log has entries like this: CSRFGuard: potential cross-site request forgery (CSRF) attack

In what case can CSRF-exempt be dangerous?

阅读更多关于 In what case can CSRF-exempt be dangerous?

问题 This question is more a re-insurance than one directly about how to code. As an autodidact i did not have a lot of possibilities to ask professionals such things, so i try here. I have read the documents in the django-docs ( https://docs.djangoproject.com/en/1.3/ref/contrib/csrf/ ) and some info on that page: http://cwe.mitre.org/top25/#CWE-352 As far as i have understood, django delivers a token (some kind of pin-code) to a user. And to verify it really is him, he has to return it the next

Forbidden (CSRF token missing or incorrect.):

阅读更多关于 Forbidden (CSRF token missing or incorrect.):

　　　　CSRF令牌失效或丢失，Ajax请求页面报错（403 Forbidden ） csrftoken存在页面响应为CSRF验证失败请求被中断，经过测试，该错误并非是没有在表单中加入{% csrf_token%} 导致【试过】刷新dns缓存依然无法解决该问题，　　　解决：检查setting配置中 'django.middleware.csrf.CsrfViewMiddleware', 在浏览器隐私中清除cookie，【无效】刷新dns【无效】最后解决方案：在引用js之前加入Ajax启动项，之前曾经有一个启动项的，但是莫名其妙失效 <script> 　　$.ajaxSetup({ 　　　　data: {csrfmiddlewaretoken: '{{ csrf_token }}'} 　　}) </script> 来源： https://www.cnblogs.com/hqc-for-s/p/12013193.html

Gets error “Cannot get CSRF” when trying to install jenkins-plugin using ANSIBLE

阅读更多关于 Gets error “Cannot get CSRF” when trying to install jenkins-plugin using ANSIBLE

问题 I am using ANSIBLE to install jenkins on CENTOS. The installation works fine but when it comes to the task of installing plugin, i get the following error. fatal: [jenkins]: FAILED! => {"changed": false, "details": "Request failed: <urlopen error [Errno 111] Connection refused>", "failed": true, "msg": "Cannot get CSRF"} The code is as follows. - name: Install jenkins rpm_key: state: present key: https://pkg.jenkins.io/redhat-stable/jenkins.io.key - name: Add Repository for jenkins yum

CSRF safe Custom button linked to Apex method

阅读更多关于 CSRF safe Custom button linked to Apex method

问题 I'm looking for a technique to execute Apex code from a custom button added to the Opportunity object in a way that protects the user against CSRF. The current approach being used comes from the question - Custom Button or Link to a Visualforce page with a custom controller. Essentially: There is an Opportunity Custom Button with the Content Source set to "Visualforce Page". The Content for this button is set to a Visualforce page that uses Opportunity for the standardController, has an

ASP.NET MVC HTML.AntiForgeryToken() with multiple AJAX requests from one page

阅读更多关于 ASP.NET MVC HTML.AntiForgeryToken() with multiple AJAX requests from one page

问题 I'm creating a page that makes multiple AJAX form posts without a page refresh. I would like to use the ASP.NET MVC HTML.AntiForgeryToken() helper to secure the form against CSRF attacks. I think that each form on the page can share the same token, but will it allow multiple requests with the same token? If not is there a way to get a new token or some other way to secure the forms? 回答1: You can share the same token. Of course, as a general rule, it's highly recommended to wrap your Ajax

使用JavaScript调用Horizon中的接口

阅读更多关于使用JavaScript调用Horizon中的接口

#使用JavaScript调用Horizon中的接口本文主要解决了以下三个问题：让horizon支持跨域请求(CORS) 彻底关闭horizon的CSRF功能支持从headers中读取和设置horizon session_id ##环境 horizon版本: juno django版本: 1.6.11 ##horizon设置安装django-cors-headers pip install django-cors-headers 在setting.py中配置django-cors-headers INSTALLED_APPS = [ [...] 'corsheaders', ] # CorsMiddleware 需要放在第一位 # 注释掉CsrfViewMiddleware中间件，这样还没结束，因为有的view上面加了@csrf_protect装饰器，下面的步骤要把这个装饰给取消掉。 # 注释掉django.contrib.sessions.middleware.SessionMiddleware，用horizon.middleware.SessionMiddleware，horizon.middleware.SessionMiddleware的代码见下文。 MIDDLEWARE_CLASSES = ( 'corsheaders.middleware

POST method always return 403 Forbidden

阅读更多关于 POST method always return 403 Forbidden

问题 I have read Django - CSRF verification failed and several questions (and answers) related to django and POST method. One of the best-but-not-working-for-me answer is https://stackoverflow.com/a/4707639/755319 All of the approved answers suggest at least 3 things: Use RequestContext as the third parameter of render_to_response_call Add {% csrf_token %} in every form with POST method Check the MIDDLEWARE_CLASSES in settings.py I've done exactly as suggested, but the error still appeared. I use

Rails 3 protect_from_forgery not working correctly?

阅读更多关于 Rails 3 protect_from_forgery not working correctly?

问题 I am using Rails 3.0.2 which has protect_from_forgery by default in application_controller.rb. I wanted to trigger an InvalidAuthenticityToken . To do this I have added this javascript to my page: $('input[name=authenticity_token]').val('aaa') Checking the DOM with Firebug I see the authenticity_token hidden field is correctly updated. If I submit the form and check the log from the server I see the relative parameter is correctly set to 'aaa'. I would expect to get a InvalidAuthenticityToken

Symfony 2 - Delete Forms and CSRF Token

阅读更多关于 Symfony 2 - Delete Forms and CSRF Token

问题 I have a List of entries coming from a database. I would like to have a "Delete-Button" at the end of every row, so that the user won't have to first go to the edit/show page to delete the entry. I tried creating a hidden input field with the csrf token like so: return $this->createFormBuilder() ->getForm() ; this will output: <div id="form"> <input type="hidden" id="form__token" name="form[_token]" value="6c98ebfa9df07....."> </div> The rest of the Form i put around in the twig template so