My team is building a site that uses AJAX calls to WCF services for all state changes. Those services only accept a request if its method is POST and its Content-Type is 'application/json'. Assuming that our site has no XSS vulnerabilities, is this sufficient protection against CSRF for our WCF services? Is it possible for an attacker...
Is checking the referrer enough to protect against a cross site request forgery attack? I know the referrer can be spoofed, but is there any way for the attacker to do that FOR the client? I know tokens are the norm, but would this work? ...
I'm getting tons of false positives from Django's contrib CSRF middleware. Just from normal use of the site there will be a lot of cases where the CSRF just starts blocking requests as suspected forgery attacks. Does anyone else have issues like this? I'm using the SVN branch of Django so have the latest version of the CSRF middleware...
I know SO isn't traditionally used this way (or maybe it is), but I've been learning about webapp security and was thinking it would be nice and encouraging to hear from SO experts what they think of this article (I'm reading it now, it's on session security). http://carsonified.com/blog/dev/how-to-create-bulletproof-sessions/ Maybe w...
I have a web form and I'm using PHP. I'm aware that forms can be manipulated (I believe it's called replay attack or a man-in-the-middle attack). So I'd like to use some authenticity token as a hidden field. The threat possibilities that I'm aware of are: Attacker hijacks the legitimate user's form (this I believe is the man-in-the-m...
I'm new to CakePHP and am wondering how to protect my forms from Cross Site Request Forgery, ie adding a nonce to the forms. I've set the salt in the config file. ...
My program uses Zend Framework, and I wanted to protect users from CSRF using Zend_Form_Element_Hash. But It doesn't seem to work. For example, my code for Logout Form is $exithash = new Zend_Form_Element_Hash('hihacker', array('salt' => 'exitsalt')); $this->addElement($exithash); In my Auth plugin for Controller I do $e...
Then I'm trying to use Zend_Form_Element_Hash it regenerates a hash every request. In my code: // form $this->addElement('hash', 'hihacker', array('salt' => 'thesal')); Then I dumping $_SESSION I see a new value each page reload. Then I send a form it reports an error "The token '28a5e0e2a50a3d4afaa654468fd29420' does not match th...
I know there is in the development version of Django, but I don't see this in Django 1.0. I took a look of the code and such an exception is definitely not built in. I need to have this ability as I can't add the csrf middleware token to a third party flash app I am using which needs to make a POST request back to django. :( Anyone have...
The django csrf middleware can't be disabled. I've commented it out from my Middleware of my project but my logins are failing due to missing CSRF issues. I'm working from the Django trunk. How can CSRF cause issues if it is not enabled in middleware? I have to disable it because there are lots of POST requests on my site that CSRF j...
I'm getting many failures from the CSRF Django middleware on my site (the version from SVN trunk.) The only errors I get are: CSRF failure: reason=CSRF token missing or incorrect. How could I diagnose where these CSRF errors are coming from? I can't cause the CSRF errors myself, but I setup the site to email me whenever the CSRF error...
Hi, I've implementend openId login system on my site and it works ok, but when i compare what is send to openidprovider and back is different with that what is send by stackoverflow.com for example whis send s paramenter and token parameter? Are these parameteres custom parameters send by stackoverflow or dotnetopenid can sand them but y...
I've spend a few hours in frustration, trying to disable the CSRF which Django now tries to force on me, to no avail. Had anyone else tried this with more success? I'm fine with anything that works, except for a source patch (but monkeypatches are okay). ...
Using AntiForgeryToken requires each request to pass a valid token, so malicious web pages with simple script posting data to my web application won't succeed. But what if a malicious script will first make some simple GET request (by Ajax) in order to download the page containing the antiforgery token in a hidden input field, extracts...
This is a question about generating CSRF tokens. Usually I'd like to generate a token based off of a unique piece of data associated with the user's session, and hashed and salted with a secret key. My question is in regards to generating tokens when there is NO unique user data to use. No sessions are available, cookies are not an opt...
Hi there, While testing an application I've written in Django, I've found that I'm be thrown a HTTP 403 Forbidden error every time I submit a form. I am aware that the CSRF middleware checks for a cookie with the CSRF token - but what should my approach be given a user that has cookies disabled? Do I need to be checking whether the use...
I am using REST and OAuth to talk to a Rails app (from an iPhone app, but that should not be relevant). However, I am running into some issues with Rails' CSRF protection (via protects_from_forgery). I understand that CSRF protection only kicks in for regular form submissions (i.e. Content-Type=application/x-www-form-urlencoded), so I w...
Let me first tell that I understand the concept of CSRF attacks. Now I wonder, are there benefits to placing tokens on a search form? I can't really think of anything myself. ...
Rails AuthenticityToken automatically protects POST/PUT/DELETE requests from CSRF attacks. But I have another use case in mind. I am showing a video on my site that I don't want to be embeddable on other sites. How this works is that my flash player sends a request for a signed URL from my CDN that expires in a few seconds. Up until ...
Hello everyone, My Django app started breaking all of a sudden and I cannot understand why. I can't even get it to run now. I'm running revision 11798. When I use the stand-alone server to test my app, it suddenly started not importing csrf. I previously had it working perfectly. I tried to see what was up by using the shell and here ...