csrf

How to properly end a users session?

会有一股神秘感。 提交于 2019-12-07 04:14:17
问题 I've been working on the security of my site (PHP) and there's a ton of information to ingest. I've tried to implement security I've researched on OWASP, but one thing I'm a little nervous about, among other things, is how to handle SESSIONS when the user logs out. Currently all I'm using is: session_destroy(); But, I've read that I should change the XRSF token and start another SESSION so it forces the user to resubmit login credentials in-turn explicitly ending the users SESSION. Is session

Why is Safari causing a Rails CSRF exception where Chrome isn't?

对着背影说爱祢 提交于 2019-12-07 04:01:22
问题 I want to create sessions in my Rails 4 application via an AJAX request in an iframe. In the iframe I've included a form for a new session with the attribute remote: true as usual, and included <%= token_tag %> in the form body as well as <%= csrf_meta_tags %> in the head of the layout. Chrome has no problem posting this form and creating a session. Under identical conditions Safari causes a CSRF exception. Why does this happen, and what can I do to stop it? As I understand it, this is not a

Is it ok to use the (cryptographically strong) session cookie as CSRF token?

倾然丶 夕夏残阳落幕 提交于 2019-12-07 03:54:04
问题 Reading OWASP CSRF prevention cheat sheet, one of the methods proposed to prevent these kind of attacks is the synchronizer token pattern. If the session token is cryptographically strong, can it double as the csrf token as described in the following pseudocode? Client: <script> dom.replace(placeholder, getCookie("session-cookie")) </script> <form> <input type="hidden" name="csrf-cookie" value="placeholder-value"/> <input type="text" /> </form> Server: if(request.getParameter("csrf-cookie") !

Add CSRF token to all the FORM submissions

与世无争的帅哥 提交于 2019-12-07 02:21:29
I recently enabled CSRF protection in my web Application. There are around 100+ JSP pages containing FORM submission. What is the best way adding CSRF token : <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/> such that all the form submission will have this form data. I don't want to add this parameter to every individual FORM submit. So I've finally found a working solution. Basically I create a custom FormRenderer like this : import com.sun.faces.renderkit.html_basic.FormRenderer; import javax.el.ELContext; import javax.el.ExpressionFactory; import javax.faces

GWT & XSRF Protection

拜拜、爱过 提交于 2019-12-07 02:06:21
问题 I'm looking at possible solutions to protect my GWT app against XSRF. If I understand GWT's solution correctly - it makes available a Servlet which you use to both generate the token on the client-side (when calling your RPC endpoint) and to validate on the server-side (when the call hits your service). Does this solution only cater for RPC calls? Surely we need it to cover all user generated requests to the server? Any other recommended XSRF solutions (I'm also looking at OWASP's CSRFGuard)?

It seems like I understand CSRF incorrectly?

a 夏天 提交于 2019-12-07 01:14:02
问题 After reading many documents regarding CSRF, I'm still a little bit confused. So I hope someone can please explain it to me: Lets say if I have a profile page which is for authenticated users only, say abc.com/profile which shows me all my private info. If I logged in, then go to a "bad" site, can this site somehow get and parse my profile page? (I did a little experience by opening up the firebug console on a different site, then request my profile page, and it seems like at least I can see

Django on Apache with mod_wsgi CSRF Verification Failed

ぐ巨炮叔叔 提交于 2019-12-06 22:51:27
I have a Django site on Apache with mod_wsgi. At first the admin page would return a 500 error, it started working after restarting Apache and such. But now when I go to log in I get a 403 with this message: CSRF verification failed. Request aborted. You are seeing this message because this site requires a CSRF cookie when submitting forms. This cookie is required for security reasons, to ensure that your browser is not being hijacked by third parties. If you have configured your browser to disable cookies, please re-enable them, at least for this site, or for 'same-origin' requests. The only

Embed CSRF token into Ember CLI application

廉价感情. 提交于 2019-12-06 16:47:26
I'm designing my new Ember CLI application. I gonna use Ember Simple Auth for authorisation. And I also need to use CSRF protection. I know how to inject the token to requests. The problem is how to embed the token to the application in a right way. It is required the token to be generated on the backend side and to be embedded into the page. And it should be the same one that API uses to verify requests. In my case API and Ember application would be served by the same web server (most likely Microsoft IIS, since API is build with .NET MVC ). So the web server should generate the token and

Mixins in Tapestry5

时光毁灭记忆、已成空白 提交于 2019-12-06 16:46:03
问题 I'm new to Tapestry5, but because of an internship I need to work with it. Currently I am trying to build a mixin to integrate a CSRF token (explanation here) to any form. Is it even possible to achieve this in a mixin? If yes, could I access functions that the mixin offers from the page? I am really not sure about how mixins really work and I'm having big difficulties on finding information about how to create one. Can somebody explain how to create a mixin and if what I'm trying to do is

Django 11

主宰稳场 提交于 2019-12-06 15:33:37
目录 功能配置设计 跨站请求伪造CSRF 什么是CSRF 如果实现CSRF 如何避免CSRF CSRF相关的两个装饰器 auth模块 常用方法 扩展auth_user表中的字段 功能配置设计 实现类似于的django中settings.py中的中间件的字符串, 注释某个字符串, 使得相应的功能失效 importlib 模块 # 可以利用 特定格式的字符串路径 导入模块 import importlib path_str = 'lib.test' mod = importlib.import_module(path_str) # from lib import test ''' 文件结构 notify __init__.py email.py msg.py wechat.py settings.py start.py ''' # __init__.py import settings import importlib def send_all(content): for path_str in settings.NOTIFY_LIST: module_path, class_name = path_str.rsplit('.', maxsplit=1) # 拿到文件对象 mod = importlib.import_module(module_path) # from notify
订阅 csrf