Is anyone familiar with CSRF?
Posted: Thu Nov 03, 2016 5:49 am
One of the sites I'm monitoring uses CSRF cookies or tokens. I'm not familiar with this tool or practice or whatever it is, but the app owner says it's in use. He refers to it as though it's a cookie of some sort, but this value is kept in a hidden field on the form.
<input type="hidden" name="csrf_token" value="76760dba28242694a6821146aa8adea5" />
However, it's also showing up in the web log files when all is working correctly. But it's not coming through sometimes and the web page is returning a 403 error. See the attachment for some web log file extracts showing the csrf_connect cookie showing up certain times and not others.
So, eValid appears to be losing this value sometimes and this results in an error and the script fails. I am trying the introduction of delays in various parts of the script to see if that helps but I'm not sure what else to try. It's not a complicated script, just sometimes the login-submit works and sometimes it fails. When it fails, its because the CSRF token is missing and this results in a 403 error from the page.
<input type="hidden" name="csrf_token" value="76760dba28242694a6821146aa8adea5" />
However, it's also showing up in the web log files when all is working correctly. But it's not coming through sometimes and the web page is returning a 403 error. See the attachment for some web log file extracts showing the csrf_connect cookie showing up certain times and not others.
So, eValid appears to be losing this value sometimes and this results in an error and the script fails. I am trying the introduction of delays in various parts of the script to see if that helps but I'm not sure what else to try. It's not a complicated script, just sometimes the login-submit works and sometimes it fails. When it fails, its because the CSRF token is missing and this results in a 403 error from the page.