Stack Overflow
Stack Overflow

Questions tagged [csrf]

Cross Site Request Forgery is a malicious attack to exploit a website's trust in a user's browser.

Cross Site Request Forgery also known as a one-click attack or session riding and abbreviated as CSRF (sometimes pronounced sea-surf) or XSRF, is a malicious attack to exploit a website's trust in a user's browser. The attacker tries to get the user's own web browser (or web application) to execute unwanted commands.

It can be shortened to CSRF or XSRF.

Prevention

History

CSRF vulnerabilities have been known and in some cases exploited since 2001. Because it is carried out from the user's IP address, some website logs might not have evidence of CSRF.

4615 questions
27
votes
4 answers

Symfony CSRF and Ajax

I am trying to implement some ajax functionality in my Symfony 2 project. Using jquery's $.post I want to send some data back to my controller. However, when I just POST the data no CSRF protection is in place, as symfony's csrf protection only…
peterrus
  • 651
  • 2
  • 6
  • 18
26
votes
2 answers

How does AntiForgeryToken work

I'm in trying to protect from CSRF and have two scenarious: Doing POST from within another site and it fails when I enable AntiForgeryToken I have tried from my "malicious" Javascript (running on another site) to first do GET of the page, parse it…
Nadir Talic
  • 263
  • 1
  • 3
  • 5
26
votes
2 answers

How to handle CSRF Validation in Yii2 Framework?

I'm having problem with CSRF Validation in yii2. The validation works fine with the default form generated by the gii but when I edit the form with html tags then the form submission throws a bad request error. I have disabled csrf validation to …
msucil
  • 806
  • 1
  • 8
  • 15
26
votes
14 answers

CSRF verification failed. Request aborted

I try to build a very simple website where one can add data into sqlite3 database. I have a POST form with two text input. index.html: {% if top_list %} 
    Name    Total steps
     {% for t in top_list %} …
Bebe
  • 347
  • 1
  • 5
  • 10
25
votes
10 answers

CSRF Token missing or incorrect

Beginner at Django here, I've been trying to fix this for a long time now. I do have 'django.middleware.csrf.CsrfViewMiddleware' in my middleware classes and I do have the token in my post form. Heres my code, what am I doing wrong? from…
aroooo
  • 4,726
  • 8
  • 47
  • 81
25
votes
5 answers

CSRF: Can I use a cookie?

Is it ok to put the CSRF token in a cookie? (and in every form, as a hidden input, so I can check if they match, of course) I heard someone say that doing so, beats the whole purpose of the token, though I don't understand why. It seems secure to…
HappyDeveloper
  • 12,480
  • 22
  • 82
  • 117
25
votes
4 answers

Spring Security 3.2 CSRF support for multipart requests

We have been using Spring Security with our application for a few years now. Last week we upgraded Spring Security from version 3.1.4 to 3.2.0. The upgrade went fine and we did not find any errors post the upgrade. While looking through the Spring…
manish
  • 19,695
  • 5
  • 67
  • 91
24
votes
9 answers

CSRF state token does not match one provided FB PHP SDK 3.1.1 Oauth 2.0

My server logs show a "CSRF state token does not match one provided" error which seems to happen for almost every user. However, the users are created and/or authenticated and I am able to retrieve the user info. I am using a Linux server with…
Harry Andrei
  • 331
  • 2
  • 4
  • 7
24
votes
3 answers

Using MVC3's AntiForgeryToken in HTTP GET to avoid Javascript CSRF vulnerability

In regards to this Haacked blog, I'm hesitant to implement the proposed anti-JSON GET hijacking solutions since The recommended solutions to mitigating JSON hijacking involve non-REST-full JSON POSTs to GET data The alternate solution (object…
makerofthings7
  • 60,103
  • 53
  • 215
  • 448
24
votes
1 answer

How can i get csrftoken in view?

Is there any way to get csrftoken in View straightly? I want to get the current csrftoken in view but will change sometimes so get it from Cookies is not a good idea. Is there any way to do that? Thanks!
Gary
  • 1,199
  • 1
  • 9
  • 23
24
votes
1 answer

How to selectively disable CSRF check in Phoenix framework

I'm trying to create a Facebook Page Tab which points to my website. Facebook sends a HTTP POST request to the url of my website. The problem here is that the server has a built-in CSRF check, and it returns the following…
N. Sola
  • 340
  • 4
  • 11
23
votes
4 answers

How to protect against CSRF by default in ASP.NET MVC 4?

Is there a way to ensure ASP.NET MVC 4 forms are protected against CSRF by default? For instance, is there a way to have AntiForgeryToken automatically applied to all forms in both views and controller actions? Background on this question: Prevent…
Fernando Correia
  • 21,803
  • 13
  • 83
  • 116
23
votes
4 answers

CSRF tokens vs Nonce confusion - are they the same?

In a attempt to make the current application I'm developing more secure, I've been reading about CSRF tokens and also Nonce. My question simply is, Are CSRF tokens and Nonce the same thing? from what I could gather so far is that both these methods…
Zubair1
  • 2,770
  • 3
  • 31
  • 39
23
votes
1 answer

Do i have to use csrf protection in React SPA?

I use React Single Page Application as a client side or Create React App (CRA). In my backend i use Node.js & Express. to fetch data or store i need to call API from client to backend. actually I've seen there are several middleware like: - Express…
Faris Dewantoro
  • 1,597
  • 4
  • 17
  • 31
23
votes
5 answers

How to implement CSRF protection in Ajax calls using express.js (looking for complete example)?

I am trying to implement CSRF protection in an app built using node.js using the express.js framework. The app makes abundant use of Ajax post calls to the server. I understand that the connect framework provides CSRF middleware, but I am not sure…
Benjen
  • 2,835
  • 5
  • 28
  • 42
1 2 3
99 100