Linked Questions

Ask Question
24 questions linked to/from CSRF protection with custom headers (and without validating token)
Hot Newest Score Active Unanswered
3 votes
1 answer
1k views

I have found that the web application uses a weak algorithm to generate CSRF token. The CSRF token is sent in a request header: X-CSRF-TOKEN: "token-string" Since the request header is being used, ...
Slenderman's user avatar
  • 33
1 vote
0 answers
214 views

I have a few REST APIs for an iPhone app. It has a login and session management functionality. Currently the session has been tracked by a token set during login. Are REST services affected by CSRF ...
Anonymous Platypus's user avatar
  • 1,472
1 vote
0 answers
193 views

The title is a little bit unclear but I had no idea to describe the following issue in there. I found a vulnerability in a website where I am able to bypass the CSRF protection (Bug Bounty program...)...
user3348472's user avatar
  • 41
285 votes
7 answers
206k views

Quick note: this is not a duplicate of CSRF protection with custom headers (and without validating token) despite some overlap. That post discusses how to perform CSRF protection on Rest endpoints ...
Conor Mancone's user avatar
  • 32k
112 votes
8 answers
103k views

In many tutorials and guides I see that a CSRF token should be refreshed per request. My question is why do I have to do this? Isn't a single CSRF token per session much easier than generating one per ...
Philipp Gayret's user avatar
  • 1,433
163 votes
4 answers
90k views

I can't really fully understand what same origin domain means. I know it means that when getting a resource from another domain (say a JS file) it will run from the context of the domain that serves ...
YSY's user avatar
  • 2,269
40 votes
2 answers
43k views

I am playing around with a test application which accepts JSON requests and response is also JSON. I am trying to do a CSRF for a transaction which accepts only JSON data with POST method in request. ...
Sachin Kumar's user avatar
  • 870
23 votes
3 answers
7k views

I am well aware of the concept of CSRF, and I think I am also aware of the possible protection possibilities, as described by OWASP. However, I'm not sure why the synchronizer pattern seems to be ...
Michael's user avatar
  • 5,483
12 votes
2 answers
24k views

I have been reading on fixing CSRF attacks. From some research I understand that checking for a non-standard header would prevent CSRF attacks since the browser will not automatically send such ...
Anonymous Platypus's user avatar
  • 1,472
17 votes
1 answer
6k views

What I know about CSRF is that a malicious website tricks a normal user into issuing a request to a trusted website using a form. I understand that is possible because we can post forms to different ...
Songo's user avatar
  • 271
2 votes
2 answers
15k views

I am aware that it is best to keep my web application patched and protected against those kind of attacks, but in my case this is more experimental thing. Is there anything useful, like module that ...
user134969's user avatar
  • 1,348
2 votes
1 answer
4k views

I'm working on a web application which stores an authentication token in a cookie. The only CSRF-protection is referrer checking. I am considering improving this by moving the authentication token ...
John Smith's user avatar
  • 23
2 votes
2 answers
2k views

I was explaining the attack on a JSON REST API the other day (in real life, at work, not here), and I figured out that I do not understand part of the attack vector. Sorry if this is quite a basic ...
grochmal's user avatar
  • 5,907
1 vote
1 answer
3k views

I have an API endpoint that is accessible by both native (console, mobile apps) and Javascript based clients. How do I ensure that the CSRF AntiForgeryToken is only invoked during Javascript calls? ...
makerofthings7's user avatar
  • 51.2k
0 votes
1 answer
2k views

I'm trying to do some csrf attack test on a site. I found that the site protect itself from csrf by checking the http Origin header. But I guess maybe under some conditions I can bypass the ...
apex's user avatar
  • 11

15 30 50 per page
1
2