Hello, I'm interested in learning how to prevent Cross-site request forgeries (CSRF) in my ColdFusion 9 application. I found a few tutorials online but none seem to be comprehensive. The best I've found is: http://www.mollerus.net/tom/blog/2009/01/an_easy_block_for_crosssite_request_forgeries_csrf.html But that's not a incredibly compreh...
Hello, I have just installed sfGuardPlugin to manage my user. But since I have try to customize the signin page, I have an error "csrf token : required". And I don't find where the error come from, I think I didn't change other thing that the template. My signin form : <?php use_helper('I18N') ?> <span id='message'>Vous devez vous co...
I made a website using the famous symfony framework. I wanted to add rich editing feature to it. And I found TinyMCE editor. But there comed a problem: how about the user embed some javascript code into the content? such as alert('hello world'). I tested wordpress, which is a very famous blog software. It faces the same problem. example...
Hi, I am starting to have a look at HTML form security. So far my research revealed three main attack vectors: Cross-site request forgery (CSRF) Cross-site scripting (XSS) SQL Injection My question is: Are there more attack vectors for HTML forms than these? I am interested in a list of possible attacks through HTML forms. ...
I have two webapps. One that is serving content to the other over XHR/REST calls. One is in Tomcat 7 (with CSRF protection), and the other is in Spring's tcServer 6 (Tomcat 6.x). The servers and webapps are setup as such: Tomcat 7 with CSRF on port 8081; webapp communicates with other apps via REST Tomcat 6 on port 8080; webapp calls ...
Email providers like Gmail,yahoo,hotmail do not load images in the email directly. These services require you to allow the images to be laoded. Why do they do this? Is it to prevent XSS/CSRF? ...
I'm trying to protect an application (php and lots of JS) from CSRF. I want to use tokens. A lot of operations are done with AJAX, so I have to pass the token in Javascript. If I want to generate 1 token per session or per page load it's simple - I generate new token, put it somewhere in a DOM and then find it with Javascript and send ...
I am running Django 1.2.2 and I get the following error when I try to log in to the Django admin: Forbidden (403) CSRF verification failed. Request aborted. Reason given for failure: No CSRF or session cookie. ** I have made NO customization to the barebones admin and when I inspect the source there is a CSRF token in t...
I have a site which will show sensitive information. I am using Anti Forgery Tokens etc to protect against XSRF in POSTS. However I am worried about someone being able to view sensitive info from a GET. What is the recommended practice for protecting read only data sent via a GET in .Net MVC 2? ...
I have a Flash based game for the browser which sends users' scores to a php backend script which stores the score and the user id in the database. Now I have a url like www.example.com/update.php?score=200&uid=234 The problem is that this is very much exposed to an intelligent user, and he can use this url to store whatever score he w...
I have been investigating this for some time, but I haven't found anything to satisfy my curiosity. Is it possible, as a user, to be the victim of a CSRF attack if cookies are disabled. Obviously CSRF depends on the users browser to send the user's credentials with the forged request to the legitimate server. Besides IP addresses, bro...
When generating a hash for a form token, I've seen a few different versions: $hash = new Zend_Form_Element_Hash('hihacker', array('salt' => 'exitsalt')); and $hash = new Zend_Form_Element_Hash('hash', 'no_csrf_foo', array('salt' => 'unique')); First of all, does the salt have to be unique for each form render? The second one sugge...
I recently upgraded to Django 1.2.3 and my upload forms are now broken. Whenever I attempt to upload, I receive a "CSRF verification failed. Request aborted." error message. After reading Django's documentation on this subject, it states that I need to add the {% csrf_token %} template tag within the HTML <form> in my template. Unfortun...
I have a problem with CSRF validation failing on iframes in IE. I've learned I can fix it if i had access to parent page server by adding certain headers to my headers according to post http://stackoverflow.com/questions/389456/cookie-blocked-not-saved-in-iframe-in-internet-explorer, but I have no access to the parent page (third party...
I am new to Security of Web apps. I am developing an application in Cakephp and one of my friends told me about the Cross-site request forgery (CSRF) and cross-site scripting (XSS) attacks etc. not sure how many more are there. I need some help in understanding how to make Cakephp defend my web app against these. we are low budget and w...
I'm trying to do a ajax file upload using django. I am trying to make this example work http://www.johnberns.com/2010/07/08/using-valums-jquery-ajax-upload-with-django-1-2/ But strangely I keep getting "None" for my csrf token and even more strange is that I am doing the POST call sending the file but all I get on the server is just th...
Using the manager application to deploy a war file used to work for me but now consistently fails with "FAIL: Nonce mismatch. Command "/upload" was ignored." I understand that the nonce is generated, stored in my session and used to validate the request. I have tried removing cookies, closing the browser (Firefox) and logging in and re...
I have a user on website A and I need to log him to website B (not under my control) but without jeopardizing his password on website B. Website B doesn't have an API which is what's making this more complicated than should be. My first option is to render my own form on website A, user enters his website B password into my form, and I...
I have a simple form I want users to be able to log into; here is the template code with the CSRF tag in it: <html> <head><title>My Site</title></head> <body> <form action="" method="post">{% csrf_token %} <label for="username">User name:</label> <input type="text" name="username" value="" id="username"> <la...
Hi all, I have tested a JSF application with the CSRFtester tool, and the tool didn't report any CSRF problems. But I had read in the "OWASP_Top_10_2007_for_JEE.pdf", that all Java EE web application frameworks are vulnerable to CSRF and also some says we need to create a secret key for each session and append it to the url. By doing thi...