The attacker can’t use JavaScript to read the token from the site, because it would be a cross-origin request and access to the data from it is blocked (by default) by the Same Origin Policy (MDN, W3C). Take this for example: var xhr = new XMLHttpRequest(); xhr.open(“GET”, “http://google.com”); xhr.addEventListener(‘load’, function (ev) { console.log(this.responseText); }); xhr.send(); … Read more
The reason why this is secure, and maliciousSite.com cannot simply do a GET, steal the token, and then do a POST is that the request is done by the user’s browser, not by the server at maliciousSite.com. All data returned from fakebank.com is returned to the user’s browser, not to the server at maliciousSite.com. If … Read more
CSRF protection is enabled by default with Java configuration. To disable it: @Configuration public class RestSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .csrf().disable() …; } }
The way to solve this issue is : import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.*; … @Test public void testLogin() throws Exception { this.mockMvc.perform(post(“/login”) .param(“username”, “…”) .param(“password”, “…”) .with(csrf())) .andExpect(status().isFound()) .andExpect(header().string(“Location”, “redirect-url-on-success-login”)); } The important part is : .with(csrf()) which will add the expected _csrf parameter to the query. The csrf() static method is provided by spring-security-test : <dependency> … Read more
I’ve had and resolved several issues with ValidateAntiForgeryToken lately, so I’ll share my findings with you. Salt: Since you mention this only happens on a single page, my best guess is that you are using different salt values in your calls to Html.AntiForgeryToken(salt) and ValidateAntiForgeryToken(salt) calls. AJAX: as another answer has said, using AJAX may … Read more
Actually, django doesn’t enforce (by default) csrf checking with tests, as per https://docs.djangoproject.com/en/dev/ref/contrib/csrf/#testing: The CsrfViewMiddleware will usually be a big hindrance to testing view functions, due to the need for the CSRF token which must be sent with every POST request. For this reason, Django’s HTTP client for tests has been modified to set a … Read more
To prevent CSRF you need a value that is submitted with the request that cannot be sent by a malicious site. Authentication cookies are not suitable because if an attacker can make the browser send a request to the victim site, the cookies will automatically be submitted. For example, by submitting a form via JavaScript … Read more
The risk from CSRF is that an external site could send data to yours and the users browser will automatically send the authentication cookie along with it. What you need is some way for the receiving action (that your $.ajax() method is sending POST data to) to be able to check that the request has … Read more
Here’s what the issue was: Rails 5, when in API mode, logically doesn’t include the Cookie middleware. Without it, there’s no Session key stored in a Cookie to be used when validating the token I passed with my form. Somewhat confusingly, changing things in config/initializers/session_store.rb had no effect. I eventually found the answer to that … Read more
The problem once again is Angular’s poor documentation. The fact is, Angular will add the X-XSRF-TOKEN header only if the XSRF-TOKEN cookie was generated server-side with the following options: Path = / httpOnly = false (this is very important, and fully undocumented) Besides, the Angular app and the URL being called must reside on the … Read more