TPittman wrote:One of the sites I'm monitoring uses CSRF cookies or tokens. I'm not familiar with this tool or practice or whatever it is, but the app owner says it's in use. He refers to it as though it's a cookie of some sort, but this value is kept in a hidden field on the form.
<input type="hidden" name="csrf_token" value="76760dba28242694a6821146aa8adea5" />
However, it's also showing up in the web log files when all is working correctly. But it's not coming through sometimes and the web page is returning a 403 error. See the attachment for some web log file extracts showing the csrf_connect cookie showing up certain times and not others.
So, eValid appears to be losing this value sometimes and this results in an error and the script fails. I am trying the introduction of delays in various parts of the script to see if that helps but I'm not sure what else to try. It's not a complicated script, just sometimes the login-submit works and sometimes it fails. When it fails, its because the CSRF token is missing and this results in a 403 error from the page.
Thanks for asking TPittman.
From the post you gave some information, but ultimately to diagnose this you need to be able to use eValid in full-fidelity to see what is really going on.
In your own machine, try running the playback in "single-step" mode while you have the EventLog open.
That should help understand the dynamics.
But, you asked for suggestions on what might be going on and how to fix it.
(1) Are you sure that another instance of eValid is not deleting cookies between runs of the subject script?
There is only ONE cache and only ONE set of cookies.
A playback that deletes cookies might be the problem.
(2) Make sure your OWN script does NOT say "Delete Cookie?"
(You didn't provide the script so we have to ask you this obvious question, sorry).
To know this for sure you would have to use the PageMap to find the right element and extract its contents.
Just as suggestion this is at playback for debugging purposes do something like this:
# This sets the sourceIndex...
# This extracts the content of the token...
IndexSaveObjectProperty property-name some-local-file
Now you can see what's there.
Here is the reference page you'll need: http://www.e-valid.com/Products/Documen ... bjProperty
(4) Cross-Site Scripting is a well-known hacking approach.
See this Wikipedia page: https://www.owasp.org/index.php/Cross-S ... gery_(CSRF
(5) Yes, it could be a timing issue; if the script works in single step mode and fails in automatic mode, then you have a playback synchronization problem.
See: http://www.e-valid.com/Products/Documen ... n.dom.html
(6) Final suggestion, based on your observation that the incorrect behavior is not repeatable: sometimes the script works and sometimes fails.
Maybe that is the correct behavior?
-- eValid Support