Stack Overflow
Stack Overflow

Questions tagged [csrf]

Cross Site Request Forgery is a malicious attack to exploit a website's trust in a user's browser.

Cross Site Request Forgery also known as a one-click attack or session riding and abbreviated as CSRF (sometimes pronounced sea-surf) or XSRF, is a malicious attack to exploit a website's trust in a user's browser. The attacker tries to get the user's own web browser (or web application) to execute unwanted commands.

It can be shortened to CSRF or XSRF.

Prevention

History

CSRF vulnerabilities have been known and in some cases exploited since 2001. Because it is carried out from the user's IP address, some website logs might not have evidence of CSRF.

4615 questions
64
votes
5 answers

Is CSRF possible with PUT or DELETE methods?

Is CSRF possible with PUT or DELETE methods? Or does the use of PUT or DELETE prevent CSRF?
4esn0k
  • 9,789
  • 7
  • 33
  • 40
64
votes
6 answers

How to use curl with Django, csrf tokens and POST requests

I'm using curl to test one of my Django forms. The calls I've tried (with errors from each, and over multiple lines for readability): (1): curl -d "{\"email\":\"test@test.com\"}" --header "X-CSRFToken: [triple checked value from the source code of a…
Trindaz
  • 17,029
  • 21
  • 82
  • 111
61
votes
7 answers

How do I send spring csrf token from Postman rest client?

I have csrf protection in spring framework. So in each request I send csrf token in header from ajax call, which is perfectly working. var…
Surendra Jnawali
  • 3,190
  • 5
  • 28
  • 44
60
votes
2 answers

Difference between CSRF and X-CSRF-Token

What is the difference between use X-CSRF-Token in an HTTP header or token in the hidden field? When to use the hidden field and when to use the header and why? I think that X-CSRF-Token is when I'm using JavaScript / AJAX but I'm not sure.
monkeyUser
  • 4,301
  • 7
  • 46
  • 95
59
votes
3 answers

CSRF, XSS and SQL Injection attack prevention in JSF

I have a web application built on JSF with MySQL as DB. I have already implemented the code to prevent CSRF in my application. Now since my underlying framework is JSF, I guess I don't have to handle XSS attack as it is already handled by…
AngelsandDemons
  • 2,823
  • 13
  • 47
  • 70
58
votes
6 answers

Django CSRF framework cannot be disabled and is breaking my site

The django csrf middleware can't be disabled. I've commented it out from my Middleware of my project but my logins are failing due to missing CSRF issues. I'm working from the Django trunk. How can CSRF cause issues if it is not enabled in…
MikeN
  • 45,039
  • 49
  • 151
  • 227
57
votes
5 answers

Rails - How to add CSRF Protection to forms created in javascript?

I'm using backbone.js and it works great. but the forms I'm creating as a javascript template lacks the rails csrf protection token. How do I add it to templates I'm creating in javascript?
CamelCamelCamel
  • 5,200
  • 8
  • 61
  • 93
56
votes
3 answers

what is the difference between X-XSRF-TOKEN and X-CSRF-TOKEN?

When use hidden field and when use header and why ? X-XSRF_TOKEN when we use? X-CSRF TOKEN when we use?
Kishori Ghorpade
  • 589
  • 1
  • 5
  • 6
55
votes
6 answers

Laravel catch TokenMismatchException

Can the TokenMismatchException be catched using try catch block? Instead of displaying the debug page that shows the "TokenMismatchException in VerifyCsrfToken.php line 46...", I want it to display the actual page and just display an error…
basagabi
  • 4,900
  • 6
  • 38
  • 84
54
votes
5 answers

Disable symfony 2 csrf token protection on ajax submit

i'm building a mobile app talking to my symfony2 app via webservices I can't find a way to disable csrf protection on a specific controller/action i want to post registration data to this action and use sf2 form validation. I do not call the form in…
julien rollin
  • 1,607
  • 1
  • 12
  • 17
54
votes
4 answers

CSRF (Cross-site request forgery) attack example and prevention in PHP

I have an website where people can place a vote like this: http://mysite.com/vote/25 This will place a vote on item 25. I want to only make this available for registered users, and only if they want to do this. Now I know when someone is busy on…
Saif Bechan
  • 16,551
  • 23
  • 83
  • 125
51
votes
2 answers

Rails API design without disabling CSRF protection

Back in February 2011, Rails was changed to require the CSRF token for all non-GET requests, even those for an API endpoint. I understand the explanation for why this is an important change for browser requests, but that blog post does not offer any…
Steve Madsen
  • 13,465
  • 4
  • 49
  • 67
51
votes
5 answers

New CSRF token per request or NOT?

So I am reading around and was really confused about having a CSRF token, whetever I should generate a new token per each request, or just per hour or something? $data['token'] = md5(uniqid(rand(), true)); $_SESSION['token'] = $data['token']; But…
John
  • 2,900
  • 8
  • 36
  • 65
50
votes
9 answers

CSRF token generation

This is a question about generating CSRF tokens. Usually I'd like to generate a token based off of a unique piece of data associated with the user's session, and hashed and salted with a secret key. My question is in regards to generating tokens…
Jim Beam
  • 501
  • 1
  • 5
  • 3
50
votes
6 answers

Is checking the referrer enough to protect against a CSRF attack?

Is checking the referrer enough to protect against a cross site request forgery attack? I know the referrer can be spoofed, but is there any way for the attacker to do that FOR the client? I know tokens are the norm, but would this work?
ryeguy
  • 65,519
  • 58
  • 198
  • 260
1 2
3
99 100