about billson: Finding: CSRF required to be included in both cookie and header

2023-01-12

Finding: CSRF required to be included in both cookie and header

Found out need to have CSRF token in cookies + header

C:\Users\billson.bs.chew>curl "http://localhost:9099/sfa/getrefcountry" -X "POST" -H "Cookie: JSESSIONID=ECF471E0BB423ADF808EFC649965D63D; XSRF-TOKEN=8078038f-017c-4adf-9034-71d0a5624020; OAuth_Token_Request_State=45f11140-bc27-4d82-9e06-ac7716150d9b"

{"timestamp":"2023-01-12T05:14:04.958+00:00","status":403,"error":"Forbidden","message":"Forbidden","path":"/sfa/getrefcountry"}

C:\Users\billson.bs.chew>

C:\Users\billson.bs.chew>curl "http://localhost:9099/sfa/getrefcountry" -X "POST" -H "Cookie: JSESSIONID=ECF471E0BB423ADF808EFC649965D63D; OAuth_Token_Request_State=45f11140-bc27-4d82-9e06-ac7716150d9b" -H "X-XSRF-TOKEN: 8078038f-017c-4adf-9034-71d0a5624020"

{"timestamp":"2023-01-12T05:14:17.134+00:00","status":403,"error":"Forbidden","message":"Forbidden","path":"/sfa/getrefcountry"}

C:\Users\billson.bs.chew>

[{"id":746,"countryName":"......

But will failed after added -H "X-Requested-With: XMLHttpRequest"

curl "http://localhost:9099/sfa/getrefcountry" -X "POST" -H "Cookie: JSESSIONID=72E583341F34F836CE9D1E791BAA8289; XSRF-TOKEN=8078038f-017c-4adf-9034-71d0a5624020; OAuth_Token_Request_State=45f11140-bc27-4d82-9e06-ac7716150d9b" -H "X-XSRF-TOKEN: 8078038f-017c-4adf-9034-71d0a5624020" -H "X-Requested-With: XMLHttpRequest"

maybe required to add the origin header as well.

curl "http://localhost:9099/sfa/getrefcountry" -X "POST" -H "Cookie: JSESSIONID=4174FC81554467718FC1F68CA393A357; XSRF-TOKEN=9c5dd88b-837b-400a-b083-912cc83aaa9f; OAuth_Token_Request_State=45f11140-bc27-4d82-9e06-ac7716150d9b" -H "X-XSRF-TOKEN: 9c5dd88b-837b-400a-b083-912cc83aaa9f" -H "Origin: http://localhost:9099" -H "X-Requested-With: XMLHttpRequest"

about billson

2023-01-12

Finding: CSRF required to be included in both cookie and header

No comments:

Google Referrals

Blogs I Read (Sharing)

community that i joined