I have many Ajax.ActionLink's on my ASP.NET MVC (v1) page that perform destructive operations. This is "legal" because I set HttpMethod to DELETE in this case so it's not a destructive GET. My question though is how to mitigate XSRF attacks on this operation so that other sites cannot craft this same Ajax DELETE request to delete use...
Is Cross-Site Request Forgery possible against a stateless RESTful service? I'm not talking about pseudo-REST where the server remembers that you're logged in via a cookie. I'm talking about pure no-application-state-on-the-server REST with no cookies. I'm using SSL and Basic Authentication. For every request, that Authorization head...
My ASP.NET MVC application prevents CSRF attacks by using the ValidateAntiForgeryToken attribute and calling Html.AntiForgeryToken to write a hidden input element with the token value, and also place the token in the cookie. My exception log is reporting occurences of HttpAntiForgeryException that look like they were triggered from vali...
Is there a way to restrict what an iframe is allowed to do in the parent? What I am looking for is a security model surrounding Javascript that looks something like: ... <script type="text/javascript" src="jquery-1.3.2.min.js"></script> <script type="text/javascript"> function AllowedToAccess() { } function NotAllowedToAccess() { } </...
to prevent CSRF attacks, a random CSRF secret has been generated. The above is from symfony: http://www.symfony-project.org/getting-started/1_4/en/04-Project-Setup Since it's finally operated by users,which is so called deputy attack.how can it work by setting that secret? ...
Hi! I've a problem with django csrf middleware... when I use the template tag csrf_token I get this output: <div style='display:none'><input type='hidden' name='csrfmiddlewaretoken' value='6bda3605af31dd8595d2a67d0dda827b' /></div> but I want this output (HTML not xHTML: <div style='display:none'><input type='hidden' name='csrfmiddle...
From ha.ckers.org/xss.html: IMG Embedded commands - this works when the webpage where this is injected (like a web-board) is behind password protection and that password protection works with other commands on the same domain. This can be used to delete users, add users (if the user who visits the page is an administr...
I’m having problems with the AntiForgeryToken in ASP.Net MVC. If I do an iisreset on my web server and a user continues with their session they get bounced to a login page. Not terrible but then the AntiForgery token blows up and the only way to get going again is to blow away the cookie on the browser. With the beta version of versio...
Hi, I'm trying to submit a form using jquery in symfony 1.4, but CSRF attack detected error pops up each time. This is the code i use to submit the form data: $.ajax({ type: 'post', cache: false, url: $('#assign-form form').attr('action'), data: ( 'activity[id]=' + $('#activity_id').val() + '&act...
I was thinking about this and it appears POST only a little less vulnerable and somewhat harder (do to requiring the user to click something). I read about token ids and double submitted cookies and i am not sure what the difference is http://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet#Disclosur...
To protect against CSRF you should put a nonce in a hidden field in the form, and in a cookie or in the session variable. But what if the user opens several pages in different tabs? In this case each tab would have a form with a unique nonce, but there would be only one nonce stored in the session variable or cookie. Or if you try to sto...
In an application I make I'm getting lots of these messages: A ActionController::InvalidAuthenticityToken occurred in items#vote_up: ActionController::InvalidAuthenticityToken /var/lib/gems/1.8/gems/actionpack-2.3.4/lib/action_controller/request_forgery_protection.rb:79:in `verify_authenticity_token' which I suspect it's happening...
I'm interested in hearing what approaches people have taken when building a RESTful (or quasi-RESTful) API for their web applications. A practical example: Say you have a traditional browser-based web application which uses CSRF protection on all forms. A hidden input with a CSRF protection token is included in each form presented in ...
What is the best way of creating functional tests to test forms with CSRF protection enabled in Symfony? Currently I have to add the following code before each form submittion: $form = new sfGuardFormSignin(); $token = $form->getCSRFToken(); $token_name = $form->getCSRFFieldName(); Then I add the $token and $token_name to form ...
Hi, I am struggling with the CSRF token in a simple POST form in Django. The template generates the following CSRF output instead of outputting the value of the token: <input type='hidden' name='csrfmiddlewaretoken' value='{'csrf_token':django.utils.functional.__proxy__ object at 0x1255690>}' /> I am using {% csrf_token %} in the ...
I've just seen Doctype's episode on CSRF. In it they say that the best prevention for CSRF is to create a token from some user unique data (e.g. hash a session ID) and then POST that along with your request. Would it be less secure to generate a difficult to guess value (e.g. GUID) and store that as a session variable and put it into t...
The page I'm building depends heavily on AJAX. Basically, there is just one "page" and every data transfer is handled via AJAX. Since overoptimistic caching on the browser side leads to strange problems (data not reloaded), I have to perform all requests (also reads) using POST - that forces a reload. Now I want to prevent the page agai...
If my Ajax requests set a X-Requested-With header, can I just skip the CSRF check if this header is present? Can I be sure it cannot be forged (with the user session)? ...
Cross Site Request Forgery (CSRF) is typically prevent with one of the following methods: Check referer - RESTful but unreliable insert token into form and store the token in the server session - not really RESTful cryptic one time URIs - not RESTful for the same reason as tokens send password manually for this request (not the cached ...
I'm probably being a total noob here, but I'm still uncertain about what a CSRF (Cross-Site Request Forgery) attack is exactly. So lets look at three situations... 1) I have a POST form that I use to edit data on my site. I want this data to be edited only by users that are logged in. 2) I have a site, which can be used by both users w...