csrf

Django with custom authentication backends, is Csrf middleware really required ?

Hello, Under Django 1.1.1, I am using several authentication backends such as social-registration for facebook connect and django-emailauth for email based authentication instead of user names. I am curious if the Csrf middleware is an essential security measure as it seems like it sometimes generates problems, especially with facebook ...

Having a POST'able API and Django's CSRF Middleware

I have a Django webapp that has both a front-end, web-accessible component and an API that is accessed by a desktop client. However, now with the new CSRF middleware component, API requests from the desktop client that are POST'ed get a 403. I understand why this is happening, but what is the proper way to fix this without compromising...

Django - How to do CSFR on public pages? Or, better yet, how should it be used period?

After reading this: http://docs.djangoproject.com/en/dev/ref/contrib/csrf/#how-to-use-it I came to the conclusion that it is not valid to use this except for when you trust the person who is using the page which enlists it. Is this correct? I guess I don't really understand when it's safe to use this because of this statement: This...

where should we place HIDDEN variable in JSP

I need to use hidden variables in my JSP for session tracking. This is the code: <input type="hidden" name="REQ_TOKEN" value="<%=session.getAttribute("SESN_TOKEN").toString()%>" /> I am using this to compare the request token with session token, so only when both are equal I will evaluate that request otherwise I will throw an error. ...

What XSS/CSRF attacks (if any) to be aware of when allowing video embeds?

I've been assigned a project for a website where users will be allowed to upload video's (using a YouTube API) but more importantly (for me) they will also be allowed to submit video embed codes (from numerous video sites, YouTube, Vimeo, etc. etc.). Having no experience with allowing users to embed video: How can I best protect against...

Make CSRF middleware work in Django's 404 error pages

I put a login box alone with a keyword search box in 404.html in a Django project so in case a 404 error is raised, visitors get more options to jump to other parts. But the CSRF middleware doesn't work in 404 error page with no csrf token rendered. I tried move 'django.middleware.csrf.CsrfViewMiddleware' to first of MIDDLEWARE_CLASSES ...

How to use Zend Framework Form Hash (token) with AJAX

I have included Zend_Form_Element_Hash into a form multiplecheckbox form. I have jQuery set to fire off an AJAX request when a checkbox is clicked, I pass the token with this AJAX request. The first AJAX request works great, but the subsequent ones fail. I suspect it may be once the token has been validated it is then removed from the ...

Does anyone see any downsides of doing the following to prevent CSRF?

I'm wondering if the following method will completely prevent CSRF, and be compatible with all users. Here it is: In the form just include an extra parameter that is: encrypted(user's userID + request time). Server-side just decrypt and make sure it's the right userID and the request time was reasonably recent. Aside from someone sni...

JSF view id as request tokens

I read somewhere the view ids used by JSF framework have a happy side effect of acting as request tokens and thus foiling CSRF. Can someone please tell me if this means I dont have to do anything from a programming point of view (ie). As a programmer, if I use JSF I dont have to worry about CSRF? ...

CSRF (Cross-site request forgery) attack example and prevention in PHP

I have an website where people can place a vote like this: http://mysite.com/vote/25 This will place a vote on item 25. I want to only make this available for registered users, and only if they want to do this. Now I know when someone is busy on the website, and someone gives them a link like this: http://mysite.com/vote/30 then th...

HtmlUnit to login (post form) to csrf enable website

I am posting a form using HTMLUnit webClient by putting the username and password but it could not logging me in. When i research then found out that they have enable csrf on post request so native web browser is required. Is there any way to login (post form) in csrf enable website using HTMLUnit or any other tool in Java or it is impos...

Is Rails default CSRF protection insecure

By default the form post CSRF protection in Rails creates an authenticity token for a user that only changes when the user's session changes. One of our customers did a security audit of our site and flagged that as an issue. The auditor's statement was that if we also had a XSS vulnerability that an attacker could grab another user's a...

client generated double submit cookie, cross site request forgery prevention

in a double-submitted cookie csrf prevention scheme, is it necessary for the server to provide the cookie? it seems i could have javascript on the clients page generate and set a cookie "anti_csrf", then double submit that (once as a cookie, done by the browser, and once in the body of the request). a foreign domain would not be able t...

Cross-site request forgery protections: Where do I put all these lines?

Hello, I was looking for a python code that would be able to log in from "Google App Engine" to some of my accounts on some websites (like yahoo or eBay) and was given this code: import urllib, urllib2, cookielib url = "https://login.yahoo.com/config/login?" form_data = {'login' : 'my-login-here', 'passwd' : 'my-password-here'} jar =...

Symfony 1.4: Custom error message for CSRF in forms

Hi, Can anyone tell me where/how to customise the CSRF token error message for forms in Symfony 1.4. I'm using sfDoctrineGuard for logins and in this form particularly, whenever a session runs out and you still have the page open, it throws a very user-unfriendly error: "CSRF attack detected". Something like "This session has expired. P...

How do you protect against specific CSRF attack

I am going trough the OWASP Top 10 list of 2007 and 2010. I stumbled upon Cross Site Request Forgery (CSRF) this is often called session riding as you let the user usee his session to fulfill your wishes. Now a solution to this is adding a token to every url and this token is checked for every link. For example to vote on product x th...

Understanding CSRF - Simple Question

I know this might make me seem like an idiot, I've read everything there is to read about CSRF and I still don't understand how using a 'challenge token' would add any sort of prevention. Please help me clarify the basic concept, none of the articles and posts here on SO I read seemed to really explicitly state what value you're comparin...

GWT RPC - Does it do enough to protect against CSRF ?

GWT's RPC mechanism does the following things on every HTTP Request - Sets two custom request headers - X-GWT-Permutation and X-GWT-Module-Base Sets the content-type as text/x-gwt-rpc; charset=utf-8 The HTTP request is always a POST, and on server side GET methods throw an exception (method not supported). Also, if these headers a...

PHP - CSRF - How to make it works in all tabs?

Hi there, I have readed about how to prevent CSRF-attacks in the last days. I am going to update the token in every pageload, save the token in the session and make a check when submitting a form. But what if the user has, lets say 3 tabs open with my website, and I just store the last token in the session? This will overwrite the toke...

why it is good idea to disable REFRESH in web application(for security purposes)

Hi, we are doing XSRF fixes for our code. we are using the session token to request token comparison method to achieve this. in case when session token is not equal to request token we will be redirecting to error page. Problem:Once we are in Main Menu page, if the user "refresh" the page, it is throwing XSRF issue. Reason: As there won...