Stack Overflow
Stack Overflow

Questions tagged [csrf]

Cross Site Request Forgery is a malicious attack to exploit a website's trust in a user's browser.

Cross Site Request Forgery also known as a one-click attack or session riding and abbreviated as CSRF (sometimes pronounced sea-surf) or XSRF, is a malicious attack to exploit a website's trust in a user's browser. The attacker tries to get the user's own web browser (or web application) to execute unwanted commands.

It can be shortened to CSRF or XSRF.

Prevention

History

CSRF vulnerabilities have been known and in some cases exploited since 2001. Because it is carried out from the user's IP address, some website logs might not have evidence of CSRF.

4615 questions
22
votes
3 answers

Spring Security: enable / disable CSRF by client type (browser / non-browser )

Spring Security documentation says: "When you use CSRF protection? Our recommendation is to use CSRF protection for any request that could be processed by a browser by normal users. If you are only creating a service that is used by …
Himalay Majumdar
  • 3,883
  • 14
  • 65
  • 94
22
votes
1 answer

Am I under risk of CSRF attacks in a POST form that doesn't require the user to be logged in?

I'm probably being a total noob here, but I'm still uncertain about what a CSRF (Cross-Site Request Forgery) attack is exactly. So lets look at three situations... 1) I have a POST form that I use to edit data on my site. I want this data to be…
Monika Sulik
  • 16,498
  • 15
  • 50
  • 52
22
votes
4 answers

devise user sign_in gives authentication error for CSRF token authenticity token

I am using devise (latest version - 3.2.0) with rails (latest version - 4.0.1) I'm doing simple authentication (without ajax or api) and getting an error for CSRF authenticity token. Check the POST request below started POST "/users/sign_in" for…
rtcoms
  • 783
  • 1
  • 8
  • 19
22
votes
8 answers

POST method always return 403 Forbidden

I have read Django - CSRF verification failed and several questions (and answers) related to django and POST method. One of the best-but-not-working-for-me answer is https://stackoverflow.com/a/4707639/755319 All of the approved answers suggest at…
goFrendiAsgard
  • 4,016
  • 8
  • 38
  • 64
21
votes
2 answers

Rails 4. How to add authenticity_token to forms rendered via partial?

On my rails app, on all pages, in the head section there are these 2 meta tags: On forms not rendered using a partial there is a hidden…
Catalin
  • 811
  • 2
  • 8
  • 18
21
votes
3 answers

how to implement csrf protection for cross domain requests

I have two web apps, one for the Web UI in AngularJS and one for the REST webservices in Java. Both are deployed on separate domains. The applications uses cookie for authentication. Whenever user enters a valid username and password, server returns…
user3565529
  • 1,317
  • 2
  • 14
  • 24
21
votes
6 answers

Error: misconfigured csrf - Express JS 4

I am trying to enable the csrf module of Express 4 in an existing application. I have added the following code: var csrf = require('csurf') ... app.use(csrf()); I have started my application and I get: Error: misconfigured csrf and a stack trace.…
Jérôme Verstrynge
  • 57,710
  • 92
  • 283
  • 453
21
votes
2 answers

What Response Should Be Sent Back a When Cross-Site Request Forgery (CSRF) is Detected

What response should I send back when a Cross-Site Request Forgery (CSRF) is detected? There is a scanning tool which I cannot get a hold of that is saying one of my pages is not protected against CSRF. But it is. The response I send back is a…
gfrobenius
  • 3,987
  • 8
  • 34
  • 66
21
votes
6 answers

Laravel CSRF Token

EDIT: I should have said this at the start, I'm using AngularJS in the FronEnd, and I'm making all the request via XHR. I'm developing an Application using CSRF Token for every user request. Should I regenerate the Token after each…
Gabriel Matusevich
  • 3,835
  • 10
  • 39
  • 58
21
votes
2 answers

How specifically does Laravel build and check a CSRF token?

I'm using Laravel's CSRF protection on my public site. However since Laravel uses a session to maintain this, I'm worried that a user might walk away from their computer and return to a page they have previously left open, only to find ajax requests…
prograhammer
  • 20,132
  • 13
  • 91
  • 118
21
votes
3 answers

Forbidden (403) CSRF verification failed. Request aborted. Even using the {% csrf_token %}

i am trying to do a login in django but i get this error, i check the CSRF documentation and nothing works for me. Here is the HTML:
BismarthSantana
  • 211
  • 1
  • 2
  • 4
21
votes
3 answers

CSRF token collisions with multiple tabs

I built CSRF protection in my application, by simply generating a random token on every page load, putting it into session, and then binding the token to the tag attribute like: Then on…
Justin
  • 42,716
  • 77
  • 201
  • 296
21
votes
1 answer

AntiForgery.GetTokens: what is the purpose of the oldCookieToken parameter?

We're writing an iOS mobile app in objective-c that makes posts to our ASP.NET MVC server app. On iPhone, the HTTP stack (and cookies etc) appear to be shared with Safari. This leaves us open to XSRF attacks, so unless I'm mistaken we need to…
spender
  • 117,338
  • 33
  • 229
  • 351
21
votes
2 answers

How do I turn off CSRF protection in a rails app?

The CSRF prevention built in to Rails is causing some problems for some automated load testing we are doing, and I want to turn it off for the duration of the process. How do I do this?
Laurie Young
  • 136,234
  • 13
  • 47
  • 54
21
votes
3 answers

symfony2 CSRF invalid

Okay, so today I updated my database with new information from our 'live' database... And since then I've been having issues on one of my forms. If you need any code let me know and i'll edit this and post the code needed... I have a report form…
Justin
  • 2,131
  • 4
  • 24
  • 41
1 2 3
99 100