csrf

问题 I recently enabled CSRF protection in my web Application. There are around 100+ JSP pages containing FORM submission. What is the best way adding CSRF token : <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/> such that all the form submission will have this form data. I don't want to add this parameter to every individual FORM submit. 回答1: So I've finally found a working solution. Basically I create a custom FormRenderer like this : import com.sun.faces.renderkit

问题 I'm designing my new Ember CLI application. I gonna use Ember Simple Auth for authorisation. And I also need to use CSRF protection. I know how to inject the token to requests. The problem is how to embed the token to the application in a right way. It is required the token to be generated on the backend side and to be embedded into the page. And it should be the same one that API uses to verify requests. In my case API and Ember application would be served by the same web server (most likely

问题 I have implemented CSRF attack prevention on my nodejs server in the following way - User on login receives a CSRF token and a cookie (JWT based token stored in a cookie). The CSRF token is made a part of all future request headers sent from the client using $.ajaxSetup . Whenever a request is made (GET or POST) by the user, I compare the cookie and csrf token (in the header) sent by the client with the stored ones on my server and the application works fine. However, when a logged-in user

问题 while reading up djangobook chapter ,I came across the section which mentions a csrf exploit where a logout link was put in a hidden of malicious site. In a web app I created using django,I had used a similar logout link base.html: <a href="{% url my_logout %}" > Logout </a> where the my_logout url points to django.contrib.auth.views.logout_then_login urlpatterns=patterns('django.contrib.auth.views', url(r'^logout/$', 'logout_then_login', {}, name = 'my_logout'), ) Now,after reading about

问题 The double-submit cookie mechanism requires the use of cookies. However, cookies are shared across all browser tabs. How do you implement this mechanism without breaking the back button and browser tabs? Meaning: if all tabs use the same cookie to store the CSRF token, every time a new tab is opened it would clobber the cookie value of all older tabs. When the forms in those older tabs are then submitted they will fail with a token mismatch. On the other hand, if I use a separate cookie per

问题 CSRF protection for a JSF based web app and Tomcat6 backend without using any external packages. Kindly help. 回答1: JSF has already builtin protection against CSRF by the javax.faces.ViewState hidden field which is to be linked with the state of the component tree in the server side. If this hidden field is missing or contains a wrong value, then JSF simply won't process the POST request. On JSF 1.x the key is only a bit too easy to guess, see also JSF impl issue 812 and JSF spec issue 869.

问题 Posting data from the form submit via API was successful. But after adding X-CSRF-TOKEN to the header and setting withCredentials: true resulted data were not posted to the script named insert.php Error: Failed to load http://localhost/simple_api/insert.php: Response to preflight request doesn't pass access control check: The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'. Origin 'http://localhost

问题 I manage a large and active forum and we're being plagued by a very serious problem. We allow users to embed remote images, much like how stackoverflow handles image (imgur) however we don't have a specific set of hosts, images can be embedded from any host with the following code: [img]http://randomsource.org/image.png[/img] and this works fine and dandy... except users can embed an image that require authentication, the image causes a pop-up to appear and because authentication pop-ups can

问题 I'm using Flask with Flask-Security (specifically Flask-WTF regarding my csrf issue) to "ease" the process of register/loggin users (not easy so far). I'm using BackboneJS on the front-end, therefore I kind of hacked the original way to use Flask-WTF. Indeed, I make an AJAX GET request on /register to get the register page (generated by Flask-Security) and I put the resulting HTML in a modal. render: function () { var self = this; $.ajax({ type: 'GET', url: Config.constants.serverGateway + "

问题 I am a ASP.NET Developer trying to learn Rails and RESTful approach. To understand, I am planning to write a Email client, which would make RESTful GET call to the server to fetch the emails and POST to send an email. What are the best practices (both generic and/or specific to Rails) to be followed so that, the above application is not exposing any XSRF vulnerabilities. 回答1: The Ruby on Rails Security Project has a good post on this. Essentially, Rails 2.0 and above have built-in protection