Stack Overflow
Stack Overflow

Questions tagged [csrf]

Cross Site Request Forgery is a malicious attack to exploit a website's trust in a user's browser.

Cross Site Request Forgery also known as a one-click attack or session riding and abbreviated as CSRF (sometimes pronounced sea-surf) or XSRF, is a malicious attack to exploit a website's trust in a user's browser. The attacker tries to get the user's own web browser (or web application) to execute unwanted commands.

It can be shortened to CSRF or XSRF.

Prevention

History

CSRF vulnerabilities have been known and in some cases exploited since 2001. Because it is carried out from the user's IP address, some website logs might not have evidence of CSRF.

4615 questions
2
votes
4 answers

Which HTML form attack vectors are there?

I am starting to have a look at HTML form security. So far my research revealed three main attack vectors: Cross-site request forgery (CSRF) Cross-site scripting (XSS) SQL Injection My question is: Are there more attack vectors for HTML forms than…
Jens
  • 20,533
  • 11
  • 60
  • 86
2
votes
1 answer

How to turn off " Rack::Protection::JsonCsrf"?

In my heroku logs I see this: WARN -- : attack prevented by Rack::Protection::JsonCsrf I know the reason of why it appears there and I want to turn off that protection mechanism. How?
Alan Coromano
  • 24,958
  • 53
  • 135
  • 205
2
votes
2 answers

CSRF token just fires randomly in django

I have a form in my html:
{% csrf_token %}
{{form.input1}}
{{form.input2}}
{{form.input3}}
Tom
  • 2,545
  • 5
  • 31
  • 71
2
votes
2 answers

CSRF protection in Play Framework behind load balancers

I use Play in a cluster behind an AWS load balancer. To prevent CSRF attacks I added @CSRF.formFields to all form submits. But I get 403 errors randomly, and I guess it's because the token issued by server A wouldn't be accepted by server B. Have…
Choucri
  • 250
  • 1
  • 7
2
votes
1 answer

How can I prevent SSRF via pathinfo passing a URL in PHP?

After scanning through our code using Acunetix for vunerabilities, we had an issue with the following script which said: "An HTTP request was initiated for the domain hit0yPI7kOCzl.bxss.me which indicates that this script is vulnerable to SSRF…
chris
  • 605
  • 1
  • 9
  • 27
2
votes
2 answers

Compojure app not sending CSRF by default

I'm using reagent and compojure to make a toy webapp and I can't figure out why my server isn't sending out a CSRF cookie. Other answers and several blog posts seem to imply that the default settings for compojure now send the CSRF token and that…
BWStearns
  • 2,567
  • 2
  • 19
  • 33
2
votes
1 answer

spring-boot-actuator disable csrf

I used spring-boot-actuator with different port like following server.port=8080 management.port=8989 And in application, I want to use enable-csrf=true, but I don't want to use csrf in actuator port. because I want to use bulk POST request to…
krrrr38
  • 155
  • 2
  • 12
2
votes
1 answer

Django 1.9: CSRF token missing or incorrect using Stripe

This might be a duplicate but i tried using RequestContext from other answers but it didnt work for me checkout_test.html: {% csrf_token %}