|
Are there any transparent library that I can use or something easy so I can prevent cross-site request forgery (CSRF) with Perl and Apache? How can I generate tokens for forms and validating them server-side?
Started by Timmy on
, 3 posts
by 3 people.
Answer Snippets (Read the full thread at stackoverflow):
To protect from "Cross-site request forgery" from server side, it is best to:
Use HTML escape.
|
|
Hello,
how do I post an array to an action on my controler with the anti forgery token.
This is my Jquery postdata:
var postData = { '__RequestVerificationToken': $('input[name=__RequestVerificationToken]').val(), 'productIds': IDs };
this is my Jquery...
Started by Pickels on
, 3 posts
by 3 people.
Answer Snippets (Read the full thread at stackoverflow):
Assuming you have all your product IDs in the HTML it would be much easier to use jqueryForm plugin :
$("form").ajaxSubmit({url: "MyProducts/DeleteProduct", success: function(response) { // Handle the response }})
var ids = [1,2]; var data = { __RequestVerificationToken... .
|
|
Hi all,
I have some javascript making an ajax call in my Rails site:
$.ajax({type: "PUT", url: url, data: { dummy: data }, complete: function(data) {}});
When Rails gets it, it throws back an ActionController::InvalidAuthenticityToken Error. I'd like ...
Started by Matt Grande on
, 3 posts
by 3 people.
Answer Snippets (Read the full thread at stackoverflow):
</form>
Works.
Rest of form...
(){ return '<%= form_authenticity_token if protect_against_forgery? -%>'; } //--><', form_authenticity_token if protect_against_forgery? %> ...
|
Ask your Facebook Friends
|
In asp.net mvc 1.0, there is a new feature for handling cross site request forgery security problem:
<%= Html.AntiForgeryToken() %> [ValidateAntiForgeryToken] public ViewResult SubmitUpdate() { // ... etc }
and i found the token generated in html...
Started by MemoryLeak on
, 3 posts
by 3 people.
Answer Snippets (Read the full thread at stackoverflow):
Try reading the documentation that comes with the report The anti-forgery token the term for this (the attack it protects) is called "CSRF" (Cross-Site Request Forgery), these days-request-forgery-csrf-using-aspnet-mvcs-antiforgerytoken....
Fixed'.
|
|
Is Cross-Site Request Forgery possible against a stateless RESTful service?
I'm not talking about pseudo-REST where the server remembers that you're logged in via a cookie. I'm talking about pure no-application-state-on-the-server REST with no cookies...
Started by Mark Lutton on
, 3 posts
by 3 people.
Answer Snippets (Read the full thread at stackoverflow):
Somebody else can include an img tag in their HTML page that does a GET on some well-known URI, and your browser will happily send along... .
Using HTTP Basic Auth does not prevent CSRF attacks via GET requests .
Disclaimer: I am not a security expert.
|
|
I've recently switched from storing session data in a cookie to storing it in the database.
Now every POST request causes an ActionController::InvalidAuthenticityToken error. It only happens in Firefox, and only on my home machine (I tried it out at work...
Started by joecorcoran on
, 3 posts
by 3 people.
Answer Snippets (Read the full thread at stackoverflow):
So, hopefully, only you and ....
It only happens if you had a pre-existing session that used the cookie store .
Delete the Rails session cookie for that site in your home Firefox Browser .
The exact same thing happened to me when I switched one of my sites .
|
|
From ha.ckers.org/xss.html :
IMG Embedded commands - this works when the webpage where this is injected (like a web-board) is behind password protection and that password protection works with other commands on the same domain. This can be used to delete...
Started by The Feast on
, 6 posts
by 6 people.
Answer Snippets (Read the full thread at stackoverflow):
Instead, you need to make sure that your website has no targets (URLs that respond to GET requests and change things)
If there... .
You cannot reliably block it by prevent certain <img> tags .
This attack is simply an HTTP GET request made to any URL .
|
|
I've read several XSRF solutions that rely on adding more tokens to the response, which do help protect code that only runs on POST.
i.e. this would be a one step attack relying on a page that responds to HTTP GET
<img src="http://amazon.com/buybook...
Started by MatthewMartin on
, 4 posts
by 4 people.
Answer Snippets (Read the full thread at stackoverflow):
If your site already has a XSS vulnerability, you're already hosed, and anti-XSRF... .
The point is that JavaScript can't read the anti-XSRF token from a cross-domain context, and XMLHTTPRequest is same-origin only, so it cannot be used to steal the token .
|
|
Hi guys, I've been surfing the net and spotted this. now i reckon it's a forgery can someone tell me?
maybe a replica and is it forged/replicaded by roman or the bloke who sold it?
front
http://i1190.photobucket.com/albums/z44 ... ure022.jpg
back
http...
Started by Mrnewguy on
, 14 posts
by 9 people.
Answer Snippets (Read the full thread at metaldetectingforum):
For the replicas
if this is a forgery then you cant tell that from these photos and unless it is on the forgery database on http://www.forumancientcoins.com/ then its probably a genuine coin but without myself its very hard to tell a ....
|
|
List,
Please check this set up on the NRA's website:
http://www.nramuseum.com/the-museum/...per-rifle.aspx
I have been researching Zf41's and a few sites claim the the rear sight mount adapter, which is common with modern ZF41 reproductions, is fantasy...
Started by wwiiarmorer on
, 15 posts
by 5 people.
Answer Snippets (Read the full thread at wehrmacht-awards):
Also, supposedly on page.
This would be a master job at forgery.
Original markings and make new ones).
|
