csrf – Tarik Billa

Is an X-Requested-With header server check sufficient to protect against a CSRF for an ajax-driven application?

April 11, 2024 by Tarik

CSRF protection: do we have to generate a token for every form?

April 7, 2024 by Tarik

In general, it suffices to have just one token per session, a so called per-session token: In general, developers need only generate this token once for the current session. After initial generation of this token, the value is stored in the session and is utilized for each subsequent request until the session expires. If you … Read more

anti-CSRF token and Javascript

January 8, 2024 by Tarik

There are several techniques, which when used together provide a sufficient CSRF protection. Unique Token A single, session-specific token is good enough for most applications. Just make sure that your site doesn’t have any XSS vulnerabilities, otherwise any kind of token technique you employ is a waste. AJAX call to regenerate the token is a … Read more

Example of silently submitting a POST FORM (CSRF)

January 3, 2024 by Tarik

One solution would be to open the form’s action in a frame like an iframe: <iframe style=”display:none” name=”csrf-frame”></iframe> <form method=’POST’ action=’http://vulnerablesite.com/form.php’ target=”csrf-frame” id=”csrf-form”> <input type=”hidden” name=”criticaltoggle” value=”true”> <input type=”submit” value=”submit”> </form> <script>document.getElementById(“csrf-form”).submit()</script>

Jquery and Django CSRF Token

January 2, 2024 by Tarik

You are not passing the csrf token with POST. Try doing what I have done in data. That is to fetch the csrf token (or your own method) and pass it in your arguments. $.ajax({ url : url, type: “POST”, data : {csrfmiddlewaretoken: document.getElementsByName(‘csrfmiddlewaretoken’)[0].value}, dataType : “json”, success: function( data ){ // do something } … Read more

Having a POST’able API and Django’s CSRF Middleware

December 28, 2023 by Tarik

How about just splitting off a view(s) for your desktop client and decorating them with csrf_exempt?

codeigniter CSRF error: “The action you have requested is not allowed.”

December 19, 2023 by Tarik

The problem solved by this Solution: set $config[‘cookie_secure’] in config file to FALSE if you’re using HTTP.

How to csrf_token protection in jinja2 template engine?

December 19, 2023 by Tarik

It seems Jinja2 works differently: Use <input type=”hidden” name=”csrfmiddlewaretoken” value=”{{ csrf_token }}”> where in Django templates you use {% csrf_token %} source : http://exyr.org/2010/Jinja-in-Django/

In Laravel 5, How to disable VerifycsrfToken middleware for specific route?

December 8, 2023 by Tarik

Rails 4 skipping protect_from_forgery for API actions

December 7, 2023 by Tarik

An attacker could CURL at your controllers all they like, but if your API requires authentication, they wont get anywhere. Making the API consumers send a CSRF is not really what CSRF does. To do this you’d need to implement a type of knocking mechanism where your client hits an authorization endpoint first to get … Read more