使用Ajax的无效CSRF令牌

I am using purely javascript to access to certain web services built with Spring. when I tried to use an Ajax Post call to one of the services I encountered the issue with CSRF.

The Ajax call is the lines of:

var data = {'attribute1':'1','attribute2':'2'};

$.ajax({
    type: "POST",
    url: url,
    data: data,
    success: function(data)
    {   
        if (typeof inputId !== 'undefined') {
            $("#"+inputId).val(JSON.stringify(data));
        }
        console.log(JSON.stringify(data));    
    }
  });

I have been searching the web, but all that I found is to update the backend (JSP, PHP) to populate the attribute "${_csrf.parameterName}" in the form. However, I am not using any backend, all the page is HTML and javascript only.

写回答
好问题 0 提建议
追加酬金
关注问题
分享
邀请回答
编辑收藏删除结题
收藏举报

1条回答默认最新

关注

码龄粉丝数原力等级 --

被采纳

被点赞

采纳率
weixin_33747129 2017-09-13 22:19
关注
CSRF_Token is a cookie sent down and stored in the browser by the your web framework/server. Typically when posting via an ajax call as you're doing... you need to send that CSRF_Token value as part of your JSON data. To do that... you need to use JavaScript to find the cookie name and obtain the value. Than you need to assign the value to the right variable name that the server is expecting to see. For instance,

var data = { crsf_token_name_server_expects: csrf_token_value_I_obtained };

The CSRF_Token is used to ensure people communicating with your api actually accessed your site and created a valid session before trying to POST data to it. A user on google.com cannot post to stackoverflow.com unless stackoverflow.com set's something called a cors header which allows the communication between Google.com and Stackoverflow.com to go through.

Based on your question... you said you're posting to a backend api which is powered by Java Spring. This api expects a csrf_token so it sounds like it's an api that is only supposed to be used for the domain name where this service is setup. For instance, a user goes to google.com and makes a POST to www.google.com/url_to_post_to/. Google would ensure a CSRF_Token is sent with this request... as they do not want people just randomly accessing this api url... without having a valid Google session.
解决无用
评论打赏
分享
举报

评论

按下Enter换行，Ctrl+Enter发表内容

报告相同问题？

关注问题

CSRF令牌保护意义何在？ csrf php
2019-01-14 16:19

回答 2 已采纳 The CSRF token is random and unique per session. Hence, an attacker can get the value of this toke
如何使用ajax在LARAVEL中获取新的CSRF令牌 ajax jquery php
2017-08-14 06:08

回答 2 已采纳 Just add this to your script <script type="text/javascript"> $.ajaxSetup({
CSRF会话令牌无效 csrf php
2013-11-15 19:38

回答 1 已采纳 You're passing $token in as the first parameter for CSRF::check(). Surely, it should be: CSRF::ch
Django Ajax CSRF认证（解决Post无法使用情况）
2020-06-14 20:35

zju_cxl的博客 CSRF（Cross-site request forgery跨站请求伪造，也被称为“one click attack”或者session riding，通常缩写为CSRF或者XSRF。是一种对网站的恶意利用。 XSS 假如A网站有XSS漏洞，访问A网站的攻击用户用发帖的方式...
使用表单数据添加laravel CSRF令牌 javascript laravel php
2016-11-29 13:26

回答 3 已采纳 You should add a field named - _token, instead of csrfToken like this: data.append( "_token", Lar
从Golang Buffalo网络应用发送推文时，无法设置CSRF令牌 csrf
2019-04-12 12:17

回答 2 已采纳 After looking through the GoBuffalo docs, and in particular THIS part of the forms page, All i had
如何在Laravel 5.2中使用Ajax进行CSRF保护 csrf jquery laravel php
2016-08-23 07:45

回答 2 已采纳 Try to set CSRF token in X-CSRF-TOKEN like, $.ajaxSetup({ headers: { 'X-CSRF-TOKEN':
【CSRF】学习关于CSRF攻击和防范
2022-03-13 17:12

玖等了的博客关于CSRF攻击的相关信息，包括如何怎么发生，发生场景和如何防范
Yii2 CSRF令牌时间段增加 csrf php
2018-04-02 12:24

回答 1 已采纳 You can use frontend and backend as different cookie and session Cookie Backend 'identityCookie'
Laravel csrf令牌与ajax POST请求不匹配 ajax jquery laravel php
2015-09-23 11:47

回答 11 已采纳 You have to add data in your ajax request. I hope so it will be work. data: { "_token": "
CSRF令牌不经时验证 csrf php
2014-05-22 23:51

回答 2 已采纳 This is just a wild guess, but could it be the combination of the Base64 encoding and submitting t
Axios.post 请求报错： 403 Forbidden missing csrf token 和 invalid csrf token
2023-11-30 17:41

gqkmiss的博客 403, statusText: "Forbidden", data: { "message": "invalid csrf token" } } 无效的 token… 问了下后端，后端也懵，网上查了不少资料，但是都不行，都是上面两种错误来回切后来无意间换成了 fetch，接口通了…...
错误“CSRF令牌无效。请尝试在Symfony3中重新提交表单 php symfony
2017-03-10 15:46

回答 1 已采纳 You should change this <button type="submit" name="form_name">Create</button> With
2023前端面试题汇总
2023-03-09 17:58

下雪不过冬天的博客 2023前端基础面试题汇总
CSRF 伪造用户请求攻击
2021-05-02 16:44

丰梓林的博客文章目录CSRF 伪造用户请求攻击0x01 CSRF 原理1.CSRF 漏洞的定义2.XSS与 CSRF的区别3.CSRF 的简单理解4.CSRF 实验环境0x02 基于 DVWA 的 low 级别演示 CSRF 攻击1.查看源代码2.构造URL 链接3.验证CSRF 攻击4.构造...
没有解决我的问题, 去提问

悬赏问题

¥15 如何在scanpy上做差异基因和通路富集？
¥20 关于#硬件工程#的问题，请各位专家解答！
¥15 关于#matlab#的问题：期望的系统闭环传递函数为G(s)=wn^2/s^2+2¢wn+wn^2阻尼系数¢=0.707，使系统具有较小的超调量
¥15 FLUENT如何实现在堆积颗粒的上表面加载高斯热源
¥30 截图中的mathematics程序转换成matlab
¥15 动力学代码报错，维度不匹配
¥15 Power query添加列问题
¥50 Kubernetes&Fission&Eleasticsearch
¥15 報錯：Person is not mapped，如何解決？
¥15 c++头文件不能识别CDialog

使用Ajax的无效CSRF令牌

1条回答 默认 最新

悬赏问题

1条回答默认最新