csrf

Understanding CSRF

The attacker has no way to get the token. Therefore the requests won’t take any effect. I recommend this post from Gnucitizen. It has a pretty decent CSRF explanation: http://www.gnucitizen.org/blog/csrf-demystified/

Am I under risk of CSRF attacks in a POST form that doesn’t require the user to be logged in?

There’s means of CSRF whenever malicious HTML or JavaScript which is targeted on your website is been embedded in another HTML page (or an email message) which is been successfully executed. An example is the following which is been placed in another webpage which innocently asks for your name and age before proceeding: <form action=”http://yoursite.com/transferfunds” … Read more

Adding X-CSRF-Token header globally to all instances of XMLHttpRequest();

I’d recommend to intercept calls to the send method: (function() { var send = XMLHttpRequest.prototype.send, token = $(‘meta[name=csrf-token]’).attr(‘content’); XMLHttpRequest.prototype.send = function(data) { this.setRequestHeader(‘X-CSRF-Token’, token); return send.apply(this, arguments); }; }()); This won’t add the header at instantiation time, but right before the request is sent. You can intercept calls to new XMLHttpRequest() as well, but that … Read more

Should be used for JSF 2.2 CSRF protection?

I am confused. I see that JSF 2.0 has implicit CSRF protection: How JSF 2.0 prevents CSRF This implicit protection is on POST requests only (i.e. pages with <h:form>). On the other side according to the article http://www.oracle.com/webfolder/technetwork/tutorials/obe/java/JSF-CSRF-Demo/JSF2.2CsrfDemo.html we should add the following element to the faces-config.xml file with the list of JSF pages. <protected-views> … Read more

CSRF Token missing or incorrect

Update: This answer is from 2011. CSRF is easy today. These days you should be using the render shortcut function return render(request, ‘template.html’) which uses RequestContext automatically so the advice below is outdated by 8 years. Use render https://docs.djangoproject.com/en/2.2/topics/http/shortcuts/ Add CSRF middleware https://docs.djangoproject.com/en/2.2/ref/csrf/ Use the {% csrf_token %} template tag Confirm you see the CSRF … Read more

How do I solve an AntiForgeryToken exception that occurs after an iisreset in my ASP.Net MVC app?

If your MachineKey is set to AutoGenerate, then your verification tokens, etc won’t survive an application restart – ASP.NET will generate a new key when it starts up, and then won’t be able to decrypt the tokens correctly. If you are seeing this a lot, I’d suggest: Configuring a static MachineKey (you should be able … Read more

Cookies Only set in Chrome – not set in Safari, Mobile Chrome, or Mobile Safari

After a battle I’ve figured this out with the help of this post Setting a domain with Express sessions stops cookie from being saved. The issue comes down to third party cookies. If you’re sending data from server.herokuapp.com to site.herokuapp.com you’re going to have this issue. The solution is to use the same custom domain … Read more

Codeigniter CSRF valid for only one time ajax request

In my opinion you should try to recreate your csrf token each request Try this code example… For the js funcion var csrfName=”<?php echo $this->security->get_csrf_token_name(); ?>”, csrfHash=”<?php echo $this->security->get_csrf_hash(); ?>”; (“#avatar”).change(function(){ var link = $(“#avatar”).val(); var dataJson = { [csrfName]: csrfHash, id: “hello”, link: link }; $.ajax({ url : “<?php echo base_url(‘main/test’); ?>”, type: ‘post’, … Read more

Using MVC3’s AntiForgeryToken in HTTP GET to avoid Javascript CSRF vulnerability

The Asp.net MVC AntiForgeryToken won’t work through HTTP GET, because it relies on cookies which rely on HTTP POST (it uses the “Double Submit Cookies” technique described in the OWASP XSRF Prevention Cheat Sheet). You can also additionally protect the cookies sent to the client by setting the as httponly, so they cannot be spoofed … Read more