I am using Spring framework 3.2 and Spring Security 3.2 in my application. I have implemented CSRF in custom login form and in some other forms to protect against web threats. But now I have to test that custom login form and other pages are CSRF protected. How can I test it?
Will appreciate your help.
If you have Firefox you can download Firebug. Go to the custom login form for example. In Firebug, find the CSRF field and change the value. Submit the form. If you get a forbidden message, you have successfully verified CSRF protection.
Related
I am using a server side framework that implements a csrf token in a form for CSRF protection. In this app I am creating a form that needs to be implemented in an iFrame in other sites. Whenever I try to submit this form from the iFrame I get an error: invalid CSRF (Cross Site Request Forgery).
Because of this I need to skip the CSRF protection for when the form is embedded. Are there alternatives I can use to protect my site in this scenario? Are there things I should do in this scenario because I can't use CSRF? Sorry I am new to web development. Thanks in advance.
I have a fully working product on Rails 5. I now wish to make a Chrome extension, using which users can create an 'Article'.
However, requests from my Chrome extension will be treated as Cross Site by my rails app. Hence, I was thinking of not doing the CSRF check at all on just my create action.
What is the biggest security risk associated with this? I understand after this, anyone will be able to make POST request to my server that creates a new article - however, this is not a damaging action like update, or worse, delete.
The Rails guide states that,
CSRF attack method works by including malicious code or a link in a
page that accesses a web application that the user is believed to have
authenticated. If the session for that web application has not timed
out, an attacker may execute unauthorized commands.
If a CSRF token is a valid one, it is a kind of assurance that the user session has not been hijacked and the request has been made with the user consent.
For more info, I recommend you to refer the Rails guide http://guides.rubyonrails.org/security.html#cross-site-request-forgery-csrf
I have a Wordpress site that embeds some elements of a Ruby on Rails site (which is our Members Area and is located on a subdomain). The elements include a login form. When people use it, Rails returns an error due to invalid CSRF token. Do I have to disable CSRF for the login action? What are my options? If the answer is to disable it, then is there a painless way to do so for Devise?
Do not disable the CSRF token for security purposes. Instead, look through the code and identify where the CSRF token is originating from, usually the DB, and then you can create a variable with that token value and echo it into an field within the form in question with the specific CSRF token parameter that PHP is expecting.
I have an MVC project using Cookie Authentication, but I want a single action to use basic authentication.
My problem is, that if the basic authentication fails, the user is redirected to the login page, specified in the cookie setup, instead of being issued a challenge.
My basic authentication code is from this page: http://www.ryadel.com/en/http-basic-authentication-asp-net-mvc-using-custom-actionfilter/
How do I prevent this redirect?
Adding the line:
filterContext.HttpContext.Request.Headers.Add("X-Requested-With", "XMLHttpRequest");
to the authentication attribute, will prevent the server from returning the login page.
I'm having a ton of issues with Devise, using OmniAuth, to authenticate my Rails app. I relaunch my server and open up a new tab in Incognito mode (so that the cookies are cleared) and load my app. I log in, and then go through to the app.
When I get to a page that calls an authenticated action via AJAX, it asks for a username and password via HTTP Basic Authentication. I've disabled this in my devise.rb.
config.http_authenticatable = false
config.http_authenticatable_on_xhr = false
When I then go back to a previous page, it redirects me to the login page and asks for a login. This also happens when I visit a page that doesn't require authentication and then go back to an authenticated page.
This is getting immensely frustrating. I've unpacked Devise and Warden to my vendor/gems directory so that I can try to debug it, but I honestly can't figure out where to begin. Any help would be hugely appreciated.
Your AJAX call probably isn't setting the CSRF token. You might need to update your UJS gem (jquery-rails probably) or manually set the X-CSRF-Token HTTP header to the value of the tag. See this question: Devise session immediately expiring on .js call [AJAX]. You can test if this is the problem by disabling CSRF protection temporarily by chucking config.allow_forgery_protection = false in config/application.rb.
If you go the manual route, you should probably grab the value of the 'authenticity_token' meta tag first, and use that as the name of the actual token meta tag, rather than hard coding the reference to 'csrf-token'.
I would recommend updating to Rails 3.0.10 or 3.1 if you can. I was still having problems on 3.0.7.