csrf

I'm interested in hearing what approaches people have taken when building a RESTful (or quasi-RESTful) API for their web applications. A practical example: Say you have a traditional browser-based web application which uses CSRF protection on all forms. A hidden input with a CSRF protection token is included in each form presented in the browser. Upon submission of the form, if this input does not match the server-side version of token, the form is considered invalid. Now say you want to expose the web application as an API (perhaps using JSON instead of HTML). Traditionally when publishing an

I am using Spring Security 3.2.3 in my Spring MVC application and getting some unexpected behavior. According to the documentation here , it should be possible to use ${_csrf.token} in the meta tags of my html: <meta name="_csrf" content="${_csrf.token}" /> <!-- default header name is X-CSRF-TOKEN --> <meta name="_csrf_header" content="${_csrf.headerName}" /> From where I extract the value of "content" using JQuery and place it into the Request Header using AJAX. For some reason though, Spring Security doesn't "convert" this into an actual token, it just gets sent into the header as a literal

I'm using Rails 3.1.0.rc4 and I'm working on doing integration tests with capybara's new Steak-like DSL and Rspec (using Devise authentication) The issue I'm having is that when I run an integration test, the rack-test driver from capybara seems to just completely lose the user's logged in session, in fact, the session seems to just clear out altogether. After days of debugging, I'm at a complete loss as to why. Going line by line through the middleware stack, I believe I've ruled the problem down to something going on in the ActiveRecord::SessionStore that is causing this. I've read here that

CSRF（Cross-site request forgery跨站请求伪造，也被称为“one click attack”或者session riding，通常缩写为CSRF或者XSRF。是一种对网站的恶意利用。 Django 中自带了 防止CSRF攻击的功能，但是一些新手不知道如何使用，给自己编程带来了麻烦。常常会出现下面django csrf token missing or incorrect的错误。 GET 请求不需要 CSRF 认证，POST 请求需要正确认证才能得到正确的返回结果。一般在POST表单中加入 {% csrf_token %} <form method="POST" action="/post-url/"> {% csrf_token %} <input name='zxdc' value="myvalue"> </form> 如果使用Ajax调用的时候 $.post('/diy/req_user_vehcile/', { csrfmiddlewaretoken: '{{ csrf_token }}', // 增加一个参数csrfmiddlewaretoken plateno: value, }, function (result) { } 注意： django1.8及之前版本 视图为 def myview(request): context_map = {

I have included Zend_Form_Element_Hash into a form multiplecheckbox form. I have jQuery set to fire off an AJAX request when a checkbox is clicked, I pass the token with this AJAX request. The first AJAX request works great, but the subsequent ones fail. I suspect it may be once the token has been validated it is then removed from the session (hop = 1). What would be your plan of attack for securing a form with Zend Framework Hash yet using AJAX to complete some of these requests? I finally abandoned using Zend_Form_Element_Hash and just created a token manually, registered it with Zend

Using AntiForgeryToken requires each request to pass a valid token, so malicious web pages with simple script posting data to my web application won't succeed. But what if a malicious script will first make some simple GET request (by Ajax ) in order to download the page containing the antiforgery token in a hidden input field, extracts it, and use it to make a valid POST ? Is it possible, or am I missing something? Cheekysoft Yes, this is all you need to do. As long as you generate a new token on each protected page, with <%= Html.AntiForgeryToken() %> and always ensure it is checked in any

I have a Rails 5 API app ( ApplicationController < ActionController::API ). The need came up to add a simple GUI form for one endpoint of this API. Initially I was getting ActionView::Template::Error undefined method protect_against_forgery? when I tried to render the form. I added include ActionController::RequestForgeryProtection and protect_from_forgery with:exception to that endpoint. Which solved that issue as expected. However, when I try to submit this form I get: 422 Unprocessable Entity ActionController::InvalidAuthenticityToken . I've added <%= csrf_meta_tags %> and verified that