csrf

I am a ASP.NET Developer trying to learn Rails and RESTful approach. To understand, I am planning to write a Email client, which would make RESTful GET call to the server to fetch the emails and POST to send an email. What are the best practices (both generic and/or specific to Rails) to be followed so that, the above application is not exposing any XSRF vulnerabilities. The Ruby on Rails Security Project has a good post on this. Essentially, Rails 2.0 and above have built-in protection for XSRF attacks. Every form created via the form helpers includes a hidden field with a special token in it

Previously I used a gem which provided a controller for accepting external services to POST some data into our app. However in Rails 5.2 it stopped working. When the endpoint is triggered, it raises ActionController::InvalidAuthenticityToken error. lulalala For Rails before 5.2, the generated ApplicationController will call protect_from_forgery , meaning POST,PUT,DELETE actions are checked for authenticity. New Rails 5.2 projects will by default check authenticity token for any subclass of ActionController::Base instead, which affects many existing Gems. You can wait for the gem updates for

I manage a large and active forum and we're being plagued by a very serious problem. We allow users to embed remote images, much like how stackoverflow handles image (imgur) however we don't have a specific set of hosts, images can be embedded from any host with the following code: [img]http://randomsource.org/image.png[/img] and this works fine and dandy... except users can embed an image that require authentication, the image causes a pop-up to appear and because authentication pop-ups can be edited they put something like "please enter your [sitename] username and password here" and

day54 Django ajax和form表单上传文件 ajax 特点 局部刷新 异步请求 写法 {% load static %} <!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <title>Title</title> </head> <body> <h1>登录页面</h1> {##} {#<form action="" method="post">#} {# {% csrf_token %}#} {# 用户名: <input type="text" name="username">#} {# 密码: <input type="text" name="password">#} {# <input type="submit">#} {#</form>#} {% csrf_token %} <hr> 用户名: <input type="text" id="uname"> 密码: <input type="password" id="pwd"> <button id="sub">提交</button> <span id="error" style="color:red;font-size: 12px;"></span> </body> <script src="https://cdn.bootcss

I'm using Flask with Flask-Security (specifically Flask-WTF regarding my csrf issue) to "ease" the process of register/loggin users (not easy so far). I'm using BackboneJS on the front-end, therefore I kind of hacked the original way to use Flask-WTF. Indeed, I make an AJAX GET request on /register to get the register page (generated by Flask-Security) and I put the resulting HTML in a modal. render: function () { var self = this; $.ajax({ type: 'GET', url: Config.constants.serverGateway + "/register" }).done(function(result){ console.log("get register done", result); var html = self.template(

I'm setting up Stripe to work with my sails.js server, and in order to use Stripe's webhooks, I need to disable CSRF for the URLs I provide to Stripe. Is it possible to make certain URLs exempt from CSRF POST requirements in sails.js? The only configuration I can find for CSRF is to turn it on globally, and looking through the source code for the csrf hook ( https://github.com/balderdashy/sails/blob/master/lib/hooks/csrf/index.js ) it looks like if I try to provide a custom object, it just gets replaced with the global settings anyway. Thanks So Murcho's solution is working but actually, sails

CSRF攻击能够成功，是因为黑客可以完全伪造用户的请求，该请求中所有的用户验证信息都是存在于cookie中，因此黑客可以在不知道这些验证信息的情况下直接利用用户自己的cookie来通过安全验证。 关键是验证授权用户和发起请求者是否是同一个人。 要抵御 CSRF，关键在于在请求中放入黑客所不能伪造的信息，并且该信息不存在于 cookie 之中 由于Cookie中的信息是自动带上的，攻击者就是利用了这一点，因此只需要请求中（比如header中）还有其他需要验证的信息即可，只要不要攻击者纯粹利用自动带上的cookie就能通过验证就行。 CSRF 令牌 。 可以在 HTTP 请求中以参数的形式加入一个随机产生的 token，并在服务器端建立一个拦截器来验证这个 token，如果请求中没有token或者 token 内容不正确，则认为可能是 CSRF 攻击而拒绝该请求。这种方法要比检查 Referer 要安全一些，token 可以在用户登陆后产生并放于session之中，然后在每次请求时把token 从 session 中拿出，与请求中的 token 进行比对 X-CSRF-Token 。 除了将 CSRF 令牌作为 POST 参数进行验证外，还可以通过设置X-CSRF-Token请求头来实现验证，VerifyCsrfToken 中间件会检查 X-CSRF-TOKEN 请求头，首先创建一个

Why generated CSRF protection token is not saved and used via SESSION like suggested here ? Currently in CI2, the CSRF protection mechanism (in Security class) is such: 1.generate a unique value for CSRF token in _csrf_set_hash() function: $this->csrf_hash = md5(uniqid(rand(), TRUE)); 2.Insert that token into form hidden field (using form_open helper) 3.A user submits the form and a server gets the token via POST. The CI performs token verification in "_sanitize_globals()" function in Input class: $this->security->csrf_verify(); 4.The function "csrf_verify" of Security class just checks is

跨站请求伪造 （英语：Cross-site request forgery），也被称为 one-click attack 或者 session riding ，通常缩写为 CSRF 或者 XSRF ， 是一种挟制用户在当前已登录的Web应用程序上执行非本意的操作的攻击方法。跟 跨网站脚本 （XSS）相比， XSS 利用的是用户对指定网站的信任，CSRF 利用的是网站对用户网页浏览器的信任。 攻击细节 跨站请求攻击，简单地说，是攻击者通过一些技术手段欺骗用户的浏览器去访问一个自己曾经认证过的网站并运行一些操作（如发邮件，发消息，甚至财产操作如转账和购买商品）。由于浏览器曾经认证过，所以被访问的网站会认为是真正的用户操作而去运行。这利用了web中用户身份验证的一个漏洞： 简单的身份验证只能保证请求发自某个用户的浏览器，却不能保证请求本身是用户自愿发出的 。 例子 假如一家银行用以运行转账操作的URL地址如下：http://www.examplebank.com/withdraw?account=AccoutName&amount=1000&for=PayeeName 那么，一个恶意攻击者可以在另一个网站上放置如下代码： <img src="http://www.examplebank.com/withdraw?account=Alice&amount=1000&for=Badman">

As much as I understand, web developer should create token and put it in hidden field of form to prevent CSRF attacks. Also, he should save the same token in a session and then, when form is submitted - check that tokens are equal. I came to question... is it necessary to do this technique for all forms? I mean, imagine form that is created to sign-in. I can't see any harm done to site and/or user if there is no CSRF protection, because user have no privileges (like he would have if he would be signed-in). The same goes for sign-up... Am I right? P.S. If I'm wrong, please explain me the