All Questions
699 questions
0
votes
0
answers
41
views
CSRF Token enabled in keycloak by default?
We ran DAST and VAPT on keycloak, the report says CSRF not implemented. we don’t find CSRF token in headers and in request. the question is if this enabled where we can find CSRF Token, if not how to ...
- 159
0
votes
1
answer
37
views
Oauth2. How does server understand 'state' is belonging to a valid public client?
I am trying to understand how exactly state benefits Oauth flow by preventing CSRF. I just don't understand what the client server is comparing the state in the URL to. I have seen such an example:
...
- 1,091
0
votes
0
answers
78
views
Store a crsf token on a cookie
Well, im learning about csrf protection for my angular - spring boot app.
Now, i've been reading about this on angular documentation and it says
HttpClient supports a common mechanism used to prevent ...
- 23
0
votes
2
answers
133
views
How to setup CORS and RequestMatchers to avoid getting 403 forbidden in SpringBoot 3.3
I created a very simple SpringBoot app (pretty much a CRUD) and added JWT auth for users. The requests are all tested with postman and are working fine and interacting with the db without in cloud ...
0
votes
0
answers
47
views
CSRF token not validated for form with GET method
I'm trying to implement an anti-CSRF token in a dummy flask app with 2 forms in same page.
CSRF token validation is working for POST form (route /change_password) but not for update email form (route /...
- 762
0
votes
0
answers
260
views
Where to store the CSRF token in the frontend for a single page application?
I have a single page application that sends requests to a backend API after each user interractions (GET, POST....). For authentication, I use cookie session that the API return after the login to the ...
- 29
0
votes
0
answers
32
views
Does CORS completely eliminate CSRF attack for a MERN stack app that uses session-based auth?
My current setup: I have backend & frontend hosted on completely different domains. From backend I'm sending back an httpOnly cookie that contains session id. Frontend checks login status by ...
- 247
0
votes
1
answer
111
views
"An expected CSRF token cannot be found" Springboot 3.2.1 gateway + Springsecurity 6.2.1
I am working on a basic microservices architecture system. Currently, I am trying to implement security on my gateway. However, when I try to send a POST via Postman to http://localhost:8765/api/auth/...
0
votes
0
answers
80
views
Does clerk protect against CSRF for all form requests or just login/sign up?
We need clarification about CSRF security when using Clerk authentication with NextJs
The clerk docs seem to state that using clerk grants CSRF protection as long as we're not mutating data on ...
0
votes
1
answer
399
views
How to do Anti-CSRF in .net API and SPA solution using cookies as auth?
I have a .NET API and React SPA hosted on the same domain (api.domain.com and app.domain.com).
I am using same-site=strict, secure and httponly cookies for communication from the SPA to the API. I ...
- 461
2
votes
0
answers
32
views
Django @csrf_exempt a logging endpoint
I'm making a social media site where users click into posts, and every time they do so, I call an endpoint to log a view for that post. Would it be safe to csrf_exempt this endpoint that only fetches ...
- 91
0
votes
1
answer
304
views
How to properly validate CSRF Token in Yii2?
I use enableCsrfValidation on my main config
'components' => [
'request' => [
'enableCsrfValidation' => true,
'enableCookieValidation' => true,
...
- 1,316
0
votes
0
answers
267
views
Invalid CSRF Token Because Chrome Blocks third-party cookies in Incognito mode
My front end uses React and is hosted by https://render.com/ with a domain purchased on SquareSpace. My backend is in Express.js and requires a CSRF token for verification in order to prevent CSRF. ...
- 8,045
0
votes
1
answer
824
views
Can we get the CSRF tokens from a website using chrome console
As the CSRF tokens are stored in the frontend of a website, is it possible to access them using some script or are they human readable. Also, can a malicious script from an attacker access the CSRF ...
1
vote
2
answers
575
views
CSRF client side double submission token generation
I am looking into protecting a website from CSRF attacks. Although sensitive cookies already are tagged with same-site=lax, I would still like to implement CSRF tokens. More specifically the double ...
- 6,475
0
votes
1
answer
37
views
CSRF protection if form tag not present
We have a page with a bunch of radio input fields and a button. On click of the button, the value of the radio selected is added in window.location.href using javascript.
Do we need to apply any ...
- 144
0
votes
0
answers
14
views
Is csrf protection required for extremely short lived cookies?
I have an app with token-based authentication .
for specific endpoint that serves an pdf file, it was ideal for me to authenticate via cookie.
so I creates a cookie with 1 second lifetime , just for ...
- 696
0
votes
0
answers
260
views
How is a csrf token obtained by the client that was never sent in any response?
The csrf token on the social media platform twitter.com / x.com is stored in a header called x-csrf-token and in a cookie called ct0.
However, it seems that this token is never sent to the client on ...
- 165
-1
votes
1
answer
305
views
Deprecated methods in Spring 6.1.1
I am trying to implement SecurityfilterChain and many methods have been deprecated such as cors(), and(), authorizeHttpRequests() and formLogin().
I am lost and I don't know how to fix my code:
@...
1
vote
1
answer
343
views
Leaking double submit cookie through form request before attack?
From what I understand, when a user visits a site, the site can give a double submit token as a cookie and as a form value. When the user submits a form, the site checks for the token in the form ...
- 41
0
votes
1
answer
456
views
Why does Spring Security's CsrfFilter's CsrfTokenRequestHandler.resolveCsrfTokenValue method always return 'null'?
I am configuring CSRF protection using Spring Security. However, I am encountering an issue where the resolveCsrfTokenValue method of CsrfFilter always returns null.
In the resolveCsrfTokenValue ...
0
votes
0
answers
263
views
If JWT and baseurl can be copied from the network tab, can't anyone access the information in the postman?
Lets say I have a react app and there is an API for login which sends a JWT token in the response. I log in and by using that token, an API is called to see all my bookings.
Now my confusion comes ...
- 245
0
votes
1
answer
3k
views
How to enable CSRF protection in CodeIgniter 3 and use the `get_csrf_hash()` function?
I am trying to enable CSRF protection in my CodeIgniter 3 application. However, when I try to use the get_csrf_hash() function in my view file, it's not returning a value. How can I fix this issue?
...
- 150
1
vote
1
answer
306
views
Abusing a login form that doesn't have CSRF tokens?
I can't get my head round how a CSRF attack would work with a login form that doesn't use CSRF tokens.
This is how the process has been described to me:
The victim user logs in to a website that has ...
- 14.7k
3
votes
3
answers
7k
views
"An expected CSRF token cannot be found" using Spring boot 3.0.5
I am using Spring boot 3.0.5 along with Spring Security 6.
I am facing this issue when I am trying to call an endpoint to register an account into the application: An expected CSRF token cannot be ...
1
vote
1
answer
219
views
Symfony add csrf token check for other pages
Official documentation (https://symfony.com/doc/current/security.html) of symfony states, to user CSRF protection I should add
# config/packages/security.yaml
security:
# ...
firewalls:
...
- 440
1
vote
4
answers
2k
views
Iframe a web app causes CSRF error only on Chrome but not on Firefox
I'm trying to show a third-party web page (with their approval) in an iframe. This site has a different domain to my parent site. The iframed site has set their frame-ancestor to include my domain and ...
- 169
0
votes
1
answer
765
views
How to implement csrf token into ssr application with express? Seems like csurf is deprecated
I want to implement a csrf token into my application's server sider rendered web page but do not know how this process work and the package I found that tutorial's use is deprecated (csurf). How would ...
- 21
3
votes
1
answer
818
views
Why are CSRF tokens encrypted?
I'm working on implementing secure CSRF tokens into my nodejs backend & react frontend app that uses express-sessions. I have created this module to generate, validate, and store CSRF tokens in ...
- 746
1
vote
1
answer
846
views
Can I use CSRF token as value for state parameter in OAuth flow?
While implementing Azure OAuth flow I have used state parameter, Azure docs says about state param:
A value included in the request that is also returned in the token response. It can be a string of ...
- 4,561
2
votes
1
answer
2k
views
Is it true that custom HTTP headers can be used to prevent CSRF because the browser prevents sites from sending custom HTTP headers to another site?
I was studying CSRF today and I found the following sentence:
custom HTTP headers can be used to prevent CSRF because the browser
prevents sites from sending custom HTTP headers to another site but
...
- 427
0
votes
1
answer
420
views
Cookie flow in a site that hosts embedded Youtube video
When there's a Youtube video embedded on a site that I visit while I am logged in Youtube beforehand, how does the embedded video know that it's me so I can add it to my Watch Later list?
I think the ...
- 1,056
0
votes
0
answers
580
views
Generating CSRF token on frontend in my React app
I created an application with Node js as backend and React js on frontend . My react app is running on localhost:3000 and my node js server is running on localhost:3005 .
I also implemented CORS ...
- 163
0
votes
1
answer
173
views
A very basic approach to the double submit cookie patterns for ajax requests in (partly) stateless web applications
My self-coded very basic approach to implement the double submit cookie pattern (detailed information: https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet....
- 19.3k
0
votes
1
answer
80
views
Is API for CSRF token safe?
Is it safe to build an API to provide CSRF one-time use token to avoid CSRF attack? Will this open a new vulnerability?
I have one more doubt regarding the traditional approach of including CSRF. I ...
4
votes
1
answer
1k
views
CSRF prevention using local storage and cookie
The following talk https://youtu.be/67mezK3NzpU?t=2408 at 40:08min, Hubert mentions that the best way to prevent a CSRF attack is to do the following:
Generate a random id server side - lets call ...
- 41
-3
votes
1
answer
1k
views
Possible vulnerability by content disposition header
Consider a response with Content-Type: application/json;charset=UTF-8 header and Content-Disposition: attachment;filename=text.txt header, with content-disp header appearing first , i am able to use ...
3
votes
1
answer
1k
views
Single Page Applications and CSRF
Let us say we have an SPA being served by nginx at domain example.com and a REST API hosted at api.example.com.
Authentication between the SPA and the API happens through a JWTs. A short lived (15 min)...
- 115
2
votes
1
answer
896
views
Do I need to use CSRF tokens in a cookie-based API?
I have an API in Next.js (NextAuth.js) that only the frontend will be using. It uses cookies for authentication. My question is could a malicious website change the user's data using CSRF? Should I ...
- 333
1
vote
3
answers
5k
views
What is the point of X-CSRF-TOKEN or X-XSRF-TOKEN, why not just use a strict same site cookie?
Frameworks such as laravel and others require you place the csrf token in your HTML forms.
However at the same time laravel comes by default with the VerifyCsrfToken middleware that automatically ...
- 1,385
2
votes
1
answer
501
views
Is there any reason not to simply use a hashed session ID as the CSRF token?
I’ve been binging articles about how to correctly protect against CSRF attacks, wanting to fully understand what it is that I’m doing, and most of the articles I’ve read mention very little about how ...
- 561
0
votes
0
answers
59
views
Is this method safe to use for login and ANTI-CSRF
i have a question, im doing an mobile app with java and on the back end php.
On the back end php i send the email+password and validate, if their is a match i generate a unique session token(encrypted ...
2
votes
2
answers
394
views
My web application is not publicly hosted, do I need to worry about CSRF?
My web app is not publicly available and will be used by certain verified users within a firewall.
Do I need to worry about CSRF?
Reading about the CSRF attacks and the below:
From Spring ...
- 21
0
votes
0
answers
505
views
Webhook listener with csrf
I want to create a webhook listener for a third party app. But fot this i have to use @csrf_exempt .
Without using the above my web app isn't allowing the third party app to send the webhook data. It ...
0
votes
1
answer
770
views
Implementing Cross-Domain CSRF Protection
I know this question has been asked several times, but I have never found a clear solution. How does one protect a web application against a CSRF attack?
I currently have two domains, frontend.com and ...
- 596
0
votes
3
answers
57
views
Is AntiForgeryToken required in three tier application?
My security scan detected issue of type "Missing AntiForgeryToken implementation". My application has a layer of .netCore WebApi services, a .netCore WebApi with RazorPages service and a ...
13
votes
3
answers
7k
views
How to securely implement authentication in Single Page Applications (SPAs) with a decoupled API
I have been researching how best to store authentication tokens in a Single Page Application (SPA). There is some existing debate about this topic on SO but as far as I can see, none offer concrete ...
0
votes
0
answers
285
views
Where should I check and unset the php CSRF token? in form control or in the index page?
I have a PHP login/register forms on the same page.
In this page I generate a CSRF token and expiry time and I put them in session variables.
I also post the token with the form.
in the same page, I ...
0
votes
1
answer
18
views
is a state changing href in an email an acceptable security risk?
I want to add a button to an email that will then open an api endpoint that changes some state in my webapp. The endpoint requires that the user is already logged in to the website but I was wondering ...
- 14.2k
0
votes
1
answer
213
views
PHP | prevent CSRF attacks
I know perfectly well that preventing tampering with a form is impossible.
But I want to ask, by implementing this function that generates a random number in a page hosting a form and echoing it in a ...
