Recently Active 'web-security csrf' Questions

1

vote

1answer

87 views

Can Rails CSRF token be used in Facebook server login request?

When implementing a Facebook server-side login, the documentation says that our server should supply a state string, which Facebook will send back to us during the callback. We can then check if the ...

modified Jun 4 at 8:17

Mikko Rantalainen
1,6031130

5

votes

3answers

1k views

Are JSON web services vulnerable to CSRF attacks?

I am building a web service that exclusively uses JSON for its request and response content (i.e., no form encoded payloads). Is a web service vulnerable to CSRF attack if the following are true? ...

security http web-security csrf

modified Jun 2 at 21:16

Gumbo
215k22264406

4

votes

5answers

232 views

CSRF - Can forged POSTs contain arbitrary data?

Forged POST requests can be constructed by untrusted websites by creating a form and posting it to the target site. However, the raw contents of this POST will be encoded by the browser to be in the ...

javascript post web-security csrf

modified Jun 2 at 21:04

Gumbo
215k22264406

2

votes

1answer

63 views

passing CSRF credentials as url parameters?

How do you handle csrf credentials sent to django as url parameters? I ask because that is, evidently, the only way to submit a file upload via a form in an iFrame. Most online examples show to pass ...

django security iframe web-security csrf

modified May 2 at 15:17

jedierikb
3,16822773

1

vote

1answer

637 views

ASP.NET MVC - ValidateAntiForgeryToken expiring

In a web page we provide a hyperlink (GET) that the User may click on to authenticate: @Html.ActionLink("Please Login", "MyMethod", "MyController") This maps to the following controller method ...

asp.net-mvc asp.net-mvc-3 web-security csrf antiforgerytoken

modified Apr 10 at 19:35

Gene Reddick
1,19411226

1

vote

2answers

92 views

Is the security attack through query string is a CSRF attack? How to prevent attack from query string?

Someone is trying to access our server page with invalid query string which throws exception. query string =./../../../../../../../../../windows/system32md.exe Exception: Could not find file ...

asp.net security query-string web-security csrf

modified Apr 9 at 9:38

bobince
212k39264466

3

votes

2answers

105 views

Can the source of a JavaScript file loaded into a web-page via a <script> tag be read by other JavaScript in that page?

I'm looking at CSRF prevention, and I have a question about a GET URL that returns JSON, and whether or not the data returned by that URL could be accessed via a third-party web-page. For example, ...

javascript json web-security csrf csrf-protection

modified Mar 20 at 13:02

Ian
365

0

votes

0answers

36 views

Is it a good idea to use the same value for CSRF salt and session signature key?

I'm working on a web backend library which generates CSRF tokens and saves HMAC signed session. I want the interface/config of the library to be as simple as possible and to have a single secret ...

web-security session-cookies csrf csrf-protection signatures

modified Feb 26 at 17:05

Peter Hudec
1458

1

vote

1answer

128 views

CSRF Protection on static pages

I have a static site which has forms. The forms submits to a Rails endpoint which captures the submitted data. The static site and the Rails endpoint are on the same domain, on different subdomains ...

security ruby-on-rails-3.2 web-security csrf csrf-protection

modified Oct 29 '12 at 6:35

Rook
31.4k1365145

0

votes

2answers

68 views

If your site doesn't use cookies do you still need to worry about CSRF protection?

I have been reading up on CSRF/XSRF a bit and a lot of it seems to talk about cookies as they can be involved in logging the user back in automatically. So I was just wondering if your site doesn't ...

security web-security csrf hacking csrf-protection

modified Oct 24 '12 at 18:33

bobince
212k39264466

0

votes

1answer

101 views

Do we need CSRF protection for public URLs

I have a web app, that does not have any forms (Disabled all form requests in web server). It has only few public URLs ( with some GET params in URL). There is not login and it does not use any ...

security web-security csrf csrf-protection

modified Oct 22 '12 at 2:47

Vroo
1169

0

votes

2answers

260 views

Does disabling third party cookies protect a client against cross site request forgery attacks?

Say that example.org uses cookies to authenticate users and it did not implement cross site request forgery protection. Is an example.org user that disabled third party cookies secured against CSRF ...

security browser web-security csrf

modified Oct 3 '12 at 16:21

Gumbo
215k22264406

2

votes

1answer

369 views

Preventing CSRF while using CORS?

I am making a bookmarklet so that a user can cross domain post to my server using CORS from any page. The user has to authenticate before posting and cookies are used. Is there any way to prevent a ...

web-security csrf cors

modified Oct 2 '12 at 11:20

user2428118
2,241723

2

votes

2answers

72 views

How to prevent submitting form from localhost to server

I've googled this for two days and I just can't find anything describing the following issue: Let's say I have the following form on "www.example.com": <form action="formProcessor.htm" ...

forms web-security csrf

modified Sep 1 '12 at 14:54

Louis Ferreira
212

0

votes

1answer

50 views

Simpler solution against CSRF?

I've been thinking about Same Origin Policy and CSRF, and couldn't answer myself why web browser developers don't use a simpler solution. Instead of disallowing cross domain scripts, why can't they ...

browser web web-security csrf

modified Aug 30 '12 at 20:02

badunk
1,241423

Tagged Questions

Related Tags