Stack Overflow
Stack Overflow

Questions tagged [csrf]

Cross Site Request Forgery is a malicious attack to exploit a website's trust in a user's browser.

Cross Site Request Forgery also known as a one-click attack or session riding and abbreviated as CSRF (sometimes pronounced sea-surf) or XSRF, is a malicious attack to exploit a website's trust in a user's browser. The attacker tries to get the user's own web browser (or web application) to execute unwanted commands.

It can be shortened to CSRF or XSRF.

Prevention

History

CSRF vulnerabilities have been known and in some cases exploited since 2001. Because it is carried out from the user's IP address, some website logs might not have evidence of CSRF.

4615 questions
2
votes
3 answers

How to translate (and replicate) the CSRF Message in Symfony?

Some of my users experience a CSRF error in my web-application. They tell me that they don't know what to do about it. In order to have a better user experience I would like to translate the message. Can someone tell me how I can do this? Also,…
xfscrypt
  • 16
  • 5
  • 28
  • 59
2
votes
0 answers

Laravel 5.1 Jquery $.get() not working

I'm having a little problem, I've never really used Ajax/Jquery with Laravel before, and I'm having a problem with JQuery $.get() function. I followed a tutorial to make a select input show data from my database on every change. I believe the…
RodrigoCS
  • 79
  • 8
2
votes
2 answers

Laravel add csrf check for link

I'm implementing post DELETE action in laravel using a hyperlink as wordpress does: http://mysite/wp-admin/post.php?post=568&action=trash&_wpnonce=ec36bea1fd last part of link has a wpnonce that is csrf in laravel . but laravel csrf middleware…
alex
  • 7,551
  • 13
  • 48
  • 80
2
votes
1 answer

CSRF Protection with Custom header other than X-Requested-By

This is related to the post https://security.stackexchange.com/questions/23371/csrf-protection-with-custom-headers-and-without-validating-token/23373#23373?newreg=9acf3e40d05f4d19a00eb58b160f8453 So if we have decided to use Custom Header Validation…
victor
  • 153
  • 2
  • 14
2
votes
1 answer

ColdFusion - Prevention - Cross-site request forgeries (CSRF)

I'm interested in learning how to prevent Cross-site request forgeries (CSRF) in my ColdFusion 9 application. I found a few tutorials online but none seem to be comprehensive. The best I've found is:…
AnApprentice
  • 108,152
  • 195
  • 629
  • 1,012
2
votes
0 answers

Unable to retrieve CSRF cookie set by Django view via Android front-end

I am using Ion by Koush to get the cookie from a URL which is an endpont of my Django web application. String urlStr = "http://example.herokuexampleapp.com/registration_id/"; URL url = null; try { url = new URL(urlStr); URI uri = new…
shahz
  • 598
  • 1
  • 8
  • 20
2
votes
0 answers

CSRF Django Referer checking failed

I have recently set up my site Django site with nginx and SSL however sometimes users are seeing the following error: Referrer Checking Failed - https://.co.uk/register does not match https://.co.uk Users can access the site through…
Silian Rails
  • 897
  • 1
  • 8
  • 14
2
votes
0 answers

Are XSS protection techniques required on server side considering modern browsers?

Is it true that: Modern browsers add "origin" header to ANY cross-domain request. Modern browsers look for "Access-Control-Allow-Origin" header in response and do not process response body if there is no this header. Hence server does not need use…
onetuser
  • 226
  • 1
  • 6
2
votes
0 answers

Csrf protection does not work while using session.storage.php_bridge in Symfony2

I am using Symfony2 with SimpleSAMLphp for user authentication. I set session.storage.php_bridge in my config because I get strange behaviour without it. session: storage_id: session.storage.php_bridge handler_id: ~ Now with these settings…
andrius.k
  • 799
  • 1
  • 10
  • 26
2
votes
1 answer

Yii CSRF Validation is showing 400 Error

I have enabled CSRF in main.php 'request' => array( 'enableCsrfValidation' => true, ) After enabling CSRF, all the links in my app are showing 400 (Bad Request). I have tried searching for the fix and did not find any. Am i missing…
Hema Chandra
  • 80
  • 1
  • 11
2
votes
1 answer

after angular logout Can't verify CSRF token authenticity

Steps to Repeat Login Logout Login and get 422 from server Can't verify CSRF token authenticity Gems devise 3.5.2 devise_token_auth 0.1.36 According to other threads the solution is to return a new csrf token on logout and then on the client side…
Stephen Burke
  • 882
  • 3
  • 10
  • 25
2
votes
1 answer

CSRF token missing or invalid Django

I've run into this issue before and solved it, but this just popped up totally randomly (or so it seems). I've just come back to my Django project after a little while away from it...when logging in I forgot my web username and it gave me the…
123
  • 8,733
  • 14
  • 57
  • 99
2
votes
1 answer

Laravel CSRF with SSL load balancing behind nginx

We have an Nginx load balancer with SSL termination. Behind it are two web servers running nginx/laravel 5.1 and both share sessions on redis . When the load balancing is set to session affinity mode where the user goes back to same server,…
tven
  • 547
  • 6
  • 18
2
votes
2 answers

Security: implementing a solution against CSRF attacks in struts 1

I need to implement a solution to prevent CSRF attacks in an application based on struts 1 framework. On the web, people suggest these kind of solutions: Struts saveToken(request) and isTokenValid(request, true) Libraries such as HDIV and OWASP…
kkung
  • 715
  • 4
  • 10
  • 18
2
votes
3 answers

Express.js csrf token with jQuery Ajax

I am trying to implement csrf protection into my project but I can't make it work with jQuery Ajax. (It works with normal posts requests, though) If I tamper the token using chrome dev tools before I send the form, I still see "data is being…
salep
  • 1,332
  • 9
  • 44
  • 93
1 2 3
99
100