Stack Overflow
Stack Overflow

Questions tagged [csrf]

Cross Site Request Forgery is a malicious attack to exploit a website's trust in a user's browser.

Cross Site Request Forgery also known as a one-click attack or session riding and abbreviated as CSRF (sometimes pronounced sea-surf) or XSRF, is a malicious attack to exploit a website's trust in a user's browser. The attacker tries to get the user's own web browser (or web application) to execute unwanted commands.

It can be shortened to CSRF or XSRF.

Prevention

History

CSRF vulnerabilities have been known and in some cases exploited since 2001. Because it is carried out from the user's IP address, some website logs might not have evidence of CSRF.

4162 questions
693
votes
5 answers

What is a CSRF token? What is its importance and how does it work?

I am writing an application (Django, it so happens) and I just want an idea of what actually a "CSRF token" is and how it protects the data. Is the post data not safe if you do not use CSRF tokens?
Shawn
  • 6,961
  • 3
  • 14
  • 8
338
votes
4 answers

Why is it common to put CSRF prevention tokens in cookies?

I'm trying to understand the whole issue with CSRF and appropriate ways to prevent it. (Resources I've read, understand, and agree with: OWASP CSRF Prevention CHeat Sheet, Questions about CSRF.) As I understand it, the vulnerability around CSRF is…
metamatt
  • 12,399
  • 7
  • 42
  • 55
242
votes
17 answers

WARNING: Can't verify CSRF token authenticity rails

I am sending data from view to controller with AJAXand I got this error: WARNING: Can't verify CSRF token authenticity I think I have to send this token with data. Does anyone know how can I do this ? Edit: My solution I did this by putting the…
kbaccouche
  • 4,345
  • 10
  • 38
  • 62
210
votes
20 answers

jQuery Ajax calls and the Html.AntiForgeryToken()

I have implemented in my app the mitigation to CSRF attacks following the informations that I have read on some blog post around the internet. In particular these post have been the driver of my implementation Best Practices for ASP.NET MVC from…
Lorenzo
  • 28,103
  • 43
  • 117
  • 208
196
votes
22 answers

Django CSRF check failing with an Ajax POST request

I could use some help complying with Django's CSRF protection mechanism via my AJAX post. I've followed the directions here: http://docs.djangoproject.com/en/dev/ref/contrib/csrf/ I've copied the AJAX sample code they have on that page…
firebush
  • 4,130
  • 4
  • 24
  • 33
193
votes
6 answers

Where to store JWT in browser? How to protect against CSRF?

I know cookie-based authentication. SSL and HttpOnly flag can be applied to protect cookie-based authentication from MITM and XSS. However, more special measures will be needed to apply in order to protect it from CSRF. They are just a bit…
Timespace7
  • 3,561
  • 5
  • 20
  • 29
184
votes
11 answers

include antiforgerytoken in ajax post ASP.NET MVC

I am having trouble with the AntiForgeryToken with ajax. I'm using ASP.NET MVC 3. I tried the solution in jQuery Ajax calls and the Html.AntiForgeryToken(). Using that solution, the token is now being passed: var data = { ... } // with token, key is…
OJ Raqueño
  • 4,191
  • 2
  • 14
  • 30
175
votes
5 answers

Do login forms need tokens against CSRF attacks?

From what I've learned so far, the purpose of tokens is to prevent an attacker from forging a form submission. For example, if a website had a form that input added items to your shopping cart, and an attacker could spam your shopping cart with…
php_learner
  • 1,759
  • 2
  • 11
  • 3
160
votes
3 answers

Cross Domain Form POSTing

I've seen articles and posts all over (including SO) on this topic, and the prevailing commentary is that same-origin policy prevents a form POST across domains. The only place I've seen someone suggest that same-origin policy does not apply to…
Brent Arias
  • 26,187
  • 32
  • 120
  • 209
133
votes
14 answers

Django Rest Framework remove csrf

I know that there are answers regarding Django Rest Framework, but I couldn't find a solution to my problem. I have an application which has authentication and some functionality. I added a new app to it, which uses Django Rest Framework. I want to…
Irene Texas
  • 1,381
  • 2
  • 9
  • 8
131
votes
2 answers

CSRF Token necessary when using Stateless(= Sessionless) Authentication?

Is it necessary to use CSRF Protection when the application relies on stateless authentication (using something like HMAC)? Example: We've got a single page app (otherwise we have to append the token on each link:
Benjamin M
  • 20,265
  • 25
  • 105
  • 178
130
votes
8 answers

Rails CSRF Protection + Angular.js: protect_from_forgery makes me to log out on POST

If the protect_from_forgery option is mentioned in application_controller, then I can log in and perform any GET requests, but on very first POST request Rails resets the session, which logs me out. I turned the protect_from_forgery option off…
Paul
  • 23,702
  • 36
  • 106
  • 215
119
votes
3 answers

CSRF protection with CORS Origin header vs. CSRF token

This question is about protecting against Cross Site Request Forgery attacks only. It is specifically about: Is protection via the Origin header (CORS) as good as the protection via a CSRF token? Example: Alice is logged in (using a cookie) with…
Chris Lercher
  • 36,020
  • 19
  • 96
  • 128
114
votes
20 answers

"The page has expired due to inactivity" - Laravel 5.5

My register page is showing the form properly with CsrfToken ({{ csrf_field() }}) present in the form). Form HTML
{{ csrf_field() }} …
Sougata Bose
  • 30,169
  • 8
  • 42
  • 82
106
votes
4 answers

How to properly add cross-site request forgery (CSRF) token using PHP

I am trying to add some security to the forms on my website. One of the forms uses AJAX and the other is a straightforward "contact us" form. I'm trying to add a CSRF token. The problem I'm having is that the token is only showing up in the HTML…
Ken
  • 2,770
  • 11
  • 40
  • 61
1
2 3
99 100