csrf

How do I turn off CSRF protection in a rails app?

The CSRF prevention built in to Rails is causing some problems for some automated load testing we are doing, and I want to turn it off for the duration of the process. How do I do this? ...

Is exposing a session's CSRF-protection token safe?

Django comes with CSRF protection middleware, which generates a unique per-session token for use in forms. It scans all incoming POST requests for the correct token, and rejects the request if the token is missing or invalid. I'd like to use AJAX for some POST requests, but said requests don't have the CSRF token availabnle. The pages h...

How to best prevent CSRF attacks in a GAE app?

So, what is the best way to prevent an XSRF attack for a GAE application? Imagine the following: Anyone can see a user's public object, and the db.Model id is used in the request to figure out which object to show. Malicious user now has the id. Malicious user creates their own object and checks out the delete form. They now know ho...

Can anyone suggest an abstract base class to prevent XSRF in .NET 2.0+

I'm looking for an abstract base class or master page solution that will prevent anyone from doing XSRF using both a token and ttl. Can anyone point me in the right direction? Edit: The ideal solution will leverage the cookie that the default membership provider sends down to the client. ...

Isn't CSRF a browser security issue?

Regarding cross-site request forgery (CSRF) attacks, if cookies are most used authentication method, why do web browsers allow sending cookies of some domain (and to that domain) from a page generated from another domain? Isn't CSRF easily preventable in browser by disallowing such behavior? As far as I know, this kind of security che...

XSRF in a RESTful Application

I am a ASP.NET Developer trying to learn Rails and RESTful approach. To understand, I am planning to write a Email client, which would make RESTful GET call to the server to fetch the emails and POST to send an email. What are the best practices (both generic and/or specific to Rails) to be followed so that, the above application is not...

Ideas for XSRF Security implementation in ASP.NET MVC using Double Submitted Cookies

I've decided to attempt using the double submitted cookies technique to attempt to prevent XSRF attacks on the site I'm working on. So the way I have it written down here is, all actions that actually DO something other than GET information, will be posts. Gets will be...uh...GETs. Secondly, every form that posts will have the key/coo...

CSRF: can the JSON data returned by a POST request be stolen?

Can the JSON data, returned by a POST request be stolen by a cross-site request forgery attack? ...

CSRF Validation Token: session id safe?

In asp.net I am implementing an IHttpModule to mitigate CSRF attacks. It injects into the response html a hidden form parameter with the asp.net SessionID on GETs. On POSTs it then checks to make sure that hidden parameter's value matches the current SessionID. As far as I know, the only way to get the SessionID value is from the cook...

How do I secure my JsonResult GET calls?

I know how to use MVC's AntiForgeryToken attribute and it's associated HTML helper to help XSRF-secure my application's form POSTs. Can something similar can be done for JsonResults that implement GET? For instance, my View contains an onSubmit jQuery call like such: $.getJSON("/allowActivity/YesOrNo/" + someFormValue, "{}", function(...

Why isn't AntiForgeryToken included in every form by default?

I am interested why isn't AntiForgeryToken included in every ASP.NET MVC form by default? It seems the pluses of always including it outweigh the possible disadvantages. And this behaviour could be disabled in case of need like for Web Forms HttpRequestValidationException. ...

How can I prevent cross-site request forgery with Perl and Apache?

Are there any transparent library that I can use or something easy so I can prevent cross-site request forgery (CSRF) with Perl and Apache? How can I generate tokens for forms and validating them server-side? ...

XSRF protection in an AJAX style app

We're currently developing an entirely AJAX based app that will interact with the server via a RESTful API. I've considered potential schemes to protect against XSRF attacks against the API. User authenticates and receives a session cookie, which is also double-submitted with each request. We implement an OAuth consumer in Javascript,...

Is there a particular approach to prevent CSRF/XSRF with Zend Framework?

Cross-site request forgery (CSRF or XSRF) attacks provokes unauthorised actions in your web application by users you believe to be trusted. That is surely something we would like to prevent, and I am particularly working with Zend Framework. Is there a Zend Framework approach to prevent CSRF/XSRF? ...

javascript securty: an AJAX call to record the user's screen resolution, is it possible to prevent fake numbers?

This is a javascript security question: suppose a page finds out the screen resolution of the computer, such as 1024 x 768, and want to use an AJAX call to log this data into the DB. Is there a way to actually prevent fake data from being entered into the DB? I think whatever the HTML or Javascript does, the user can reverse engineer ...

Any logical loop holes in this idea for preventing Cross Site Request Forgery?

I've read several XSRF solutions that rely on adding more tokens to the response, which do help protect code that only runs on POST. i.e. this would be a one step attack relying on a page that responds to HTTP GET <img src="http://amazon.com/buybook/anarchistscookbook/mailto/me/execute.php"&gt; But with better libraries like jquery,...

How do you Unit Test a Zend_Form that includes the CSRF form element?

I'm using the CSRF hidden hash element with Zend_Form and trying to Unit Test the login but don't know how to write a Unit Test to include that element. Looked in the docs and read as many tutorials as I could find. I even delicioused them all, but no one mentions this. ...

Validate Origin of FORM POST to ensure it came from same server/app

I want find a platform/language agnostic solution to ensuring the origin of a FORM POST is from an expected source. I.e. Page1.aspx posting to Page2.php within the same web site. Specifically what I am attempting to do here is to prevent request forgery. ...

How to prevent a Cross-Site Request Forgery (XSRF/CSRF) attack using URL rewriting?

A CSRF/XSRF can be prevented using a number of techniques. One of the technique is to use a token unique to the client session with every request being sent by the client to the server; which is being validated on the server side. If the request token and the token on the server side matches, the request is allowed to enter the applica...

Can you prevent XSRF by including the session key in the params of all POST requests?

Will this idea work? It seems pretty stupid, because my app is simply checking that the browser sent two copies of the same information (ie the session key). Also, remembering to make this check sounds very tedious. Do web frameworks such as Rails and CakePHP have things that make it easier to write XSRF-proof web apps? ...