5

My site is under csurf protection at the moment.

I have assigned all my ajax call with csrf token like below

"/data/someAPI?_csrf="+ $("#_csrf").val and it works just fine with all function I had.

But now I am writing a file upload function and most of the tutorials on the internet are using sumbit form to do so.

So I wrote something like

Node.js

app.post('/upload', function(req, res) {
  if (!req.files)
    return res.status(400).send('No files were uploaded.');

  // The name of the input field (i.e. "sampleFile") is used to retrieve the uploaded file
  let sampleFile = req.files.sampleFile;

  // Use the mv() method to place the file somewhere on your server
  sampleFile.mv('/somewhere/on/your/server/filename.jpg', function(err) {
    if (err)
      return res.status(500).send(err);

    res.send('File uploaded!');
  });
});

Solved

HTML

<html>
  <body>
    <form ref='uploadForm' 
      id='uploadForm' 
      action='http://localhost:8000/upload?_csrf=<your_csrf_token>"' 
      method='post' 
      encType="multipart/form-data">
        <input type="file" name="sampleFile" />
        <input type='submit' value='Upload!' />
    </form>     
  </body>
</html>

I directly assigned the token in the form action and it works fine.

Improve this question
5
  • Why not do it as you are doing in ajax call? i.e. define token in form action. Commented Nov 28, 2017 at 8:45
  • @aquaman do you mean i should <input type='hidden' name='form-control' value='{{_csrf}}'> put this line within the form? Commented Nov 28, 2017 at 8:49
  • 1
    I meant modify your form as action="/upload?_csrf=<your_csrf_token>". And well what you suggested in another option you can try. Commented Nov 28, 2017 at 8:51
  • thanks i solved it!!! @aquaman Commented Nov 28, 2017 at 8:57
  • Quick question, how do you obtain that CSRF token in the first place? Commented Oct 23, 2018 at 19:48

1 Answer 1

Reset to default
4

You can add hidden field for _csrf token. Here is example code

<html>
  <body>
    <form ref="uploadForm" 
      id="uploadForm" 
      action="http://localhost:8000/upload" 
      method="post" 
      encType="multipart/form-data">
        <input type="file" name="sampleFile"/>
        <input type="hidden" name="_csrf" value="<your_csrf_token>"/>
        <input type="submit" value="Upload!"/>
    </form>     
  </body>
</html>
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

@BhavaniSolanki : After implementing CSRF solution hidden field comparing server side , the problem is , when open new tab with same URL then hidden filed comes null.Server side condition is if CSRF hidden field null then its attack.is it expected behavior ?

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.