Stack Overflow
Stack Overflow

Questions tagged [csrf]

Cross Site Request Forgery is a malicious attack to exploit a website's trust in a user's browser.

Cross Site Request Forgery also known as a one-click attack or session riding and abbreviated as CSRF (sometimes pronounced sea-surf) or XSRF, is a malicious attack to exploit a website's trust in a user's browser. The attacker tries to get the user's own web browser (or web application) to execute unwanted commands.

It can be shortened to CSRF or XSRF.

Prevention

History

CSRF vulnerabilities have been known and in some cases exploited since 2001. Because it is carried out from the user's IP address, some website logs might not have evidence of CSRF.

4615 questions
40
votes
5 answers

Understanding CSRF

I don't understand how using a 'challenge token' would add any sort of prevention: what value should compared with what? From OWASP: In general, developers need only generate this token once for the current session. After initial generation…
Lotus Notes
  • 6,302
  • 7
  • 32
  • 47
39
votes
4 answers

preventing cross-site request forgery (csrf) attacks in asp.net web forms

I have created an ASP.Net Web Forms application using Visual Studio 2013 and I am using .NET Framework 4.5. I want to make sure my site is secure from Cross-Site Request Forgery (CSRF), I have found many articles talking about how this feature is…
Nada N. Hantouli
  • 1,310
  • 1
  • 12
  • 20
38
votes
8 answers

Angular 6 does not add X-XSRF-TOKEN header to http request

I've read the docs and all the related questions on SO, but still Angular's XSRF mechanism isn't working for me: in no way I can make a POST request with the X-XSRF-TOKEN header appended automatically. I have an Angular 6 app with a login form.…
Paolo Stefan
  • 10,112
  • 5
  • 45
  • 64
38
votes
5 answers

Rails: How to implement protect_from_forgery in Rails API mode

I have a Rails 5 API app (ApplicationController < ActionController::API). The need came up to add a simple GUI form for one endpoint of this API. Initially, I was getting ActionView::Template::Error undefined method protect_against_forgery? when I…
lostphilosopher
  • 4,361
  • 4
  • 28
  • 39
37
votes
4 answers

Do I need a CSRF token for jQuery .ajax()?

So I've got a basic .ajax() POST method to a PHP file. What security measures do I need? A few posts around were mentioning using a hidden MD5 input field that you send via AJAX and verify in the PHP file. Is this a good enough method?
Nathan Waters
  • 1,173
  • 4
  • 13
  • 23
36
votes
4 answers

Why CSRF token should be in meta tag and in cookie?

What's the need of to put CSRF token name and value inside tag using like: e.g: I've read about…
Vin.AI
  • 2,369
  • 2
  • 19
  • 40
35
votes
1 answer

how do you include a csrf token when testing a POST endpoint in django?

I am learning how to make an api endpoint and I am trying to write a test to see if a post request returns a 200 status code. I plan on writing more tests to see if the endpoint is returning all the expected results as well. I keep getting a 403…
Spencer Cooley
  • 8,471
  • 16
  • 48
  • 63
34
votes
3 answers

RequestVerificationToken does not match

I have a problem with the anti CRSF MVC mechanism. The cookie and the form input returned does not match. I'm getting an error every single time, only in one specific page. In the rest of the application it works well. The server is returning HTTP…
vtortola
  • 34,709
  • 29
  • 161
  • 263
34
votes
2 answers

How to does the token prevent csrf attack?

I have read about CSRF and how the Unpredictable Synchronizer Token Pattern is used to prevent it. I didn't quite understand how it works. Let's take this scenario : A user is logged into a site with this form:
david
  • 3,310
  • 7
  • 36
  • 59
34
votes
3 answers

Unit testing controllers with CSRF protection enabled in Spring security

Recently we have introduced CSRF protection for our project which uses spring security 3.2. After enabling CSRF some of the unit tests are failing because of the csrf token is not present in request. I put some dummy value into '_csrf' parameter and…
uiroshan
  • 5,021
  • 2
  • 39
  • 37
34
votes
2 answers

Rails 4 skipping protect_from_forgery for API actions

I've been implementing a Rails 4 application with an API. I want to be able to call the API from mobile phones and the webapp itself. I came across this note while researching protect_from_forgery: It's important to remember that XML or JSON…
user44484
34
votes
2 answers

How is using Synchronizer Token Pattern to prevent CSRF safe?

I have been reading about using a synchronizer token pattern to prevent CSRF (CSRF meaning Cross-site request forgery.), and I don't understand how it actually safe. Let's say I have a fake bank site fakebank.com with two…
Juliet
  • 1,040
  • 3
  • 11
  • 18
33
votes
4 answers

In Laravel 5, How to disable VerifycsrfToken middleware for specific route?

I am using Laravel 5 for developing an app. My app is connected with VendHQ API and I am intended to get some data from VendHQ through their webhook. As per their Documentation When an event happens and triggers a webhook, we’ll send a POST …
Ariful Haque
  • 3,662
  • 5
  • 37
  • 59
33
votes
2 answers

In Spring-Security with Java Config, why does httpBasic POST want csrf token?

I am using Spring-Security 3.2.0.RC2 with Java config. I set up a simple HttpSecurity config that asks for basic auth on /v1/**. GET requests work but POST requests fail with: HTTP Status 403 - Invalid CSRF Token 'null' was found on the request…
shawnim
  • 580
  • 1
  • 6
  • 11
32
votes
7 answers

How to csrf_token protection in jinja2 template engine?

In Django template I used: {% csrf_token %} {{ form.as_p|safe }} But error when I change to jinja2 template engine: Encountered unknown tag 'csrf_token' My…
nguyên
  • 5,156
  • 5
  • 43
  • 45
1 2 3
99 100