2023-01-12

Finding: CSRF required to be included in both cookie and header

 


Found out need to have CSRF token in cookies + header



C:\Users\billson.bs.chew>curl "http://localhost:9099/sfa/getrefcountry" -X "POST" -H "Cookie: JSESSIONID=ECF471E0BB423ADF808EFC649965D63D; XSRF-TOKEN=8078038f-017c-4adf-9034-71d0a5624020; OAuth_Token_Request_State=45f11140-bc27-4d82-9e06-ac7716150d9b"
{"timestamp":"2023-01-12T05:14:04.958+00:00","status":403,"error":"Forbidden","message":"Forbidden","path":"/sfa/getrefcountry"}
C:\Users\billson.bs.chew>
C:\Users\billson.bs.chew>
C:\Users\billson.bs.chew>
C:\Users\billson.bs.chew>
C:\Users\billson.bs.chew>curl "http://localhost:9099/sfa/getrefcountry" -X "POST" -H "Cookie: JSESSIONID=ECF471E0BB423ADF808EFC649965D63D; OAuth_Token_Request_State=45f11140-bc27-4d82-9e06-ac7716150d9b" -H "X-XSRF-TOKEN: 8078038f-017c-4adf-9034-71d0a5624020"
{"timestamp":"2023-01-12T05:14:17.134+00:00","status":403,"error":"Forbidden","message":"Forbidden","path":"/sfa/getrefcountry"}
C:\Users\billson.bs.chew>
C:\Users\billson.bs.chew>
C:\Users\billson.bs.chew>
C:\Users\billson.bs.chew>curl "http://localhost:9099/sfa/getrefcountry" -X "POST" -H "Cookie: JSESSIONID=ECF471E0BB423ADF808EFC649965D63D; XSRF-TOKEN=8078038f-017c-4adf-9034-71d0a5624020; OAuth_Token_Request_State=45f11140-bc27-4d82-9e06-ac7716150d9b" -H "X-XSRF-TOKEN: 8078038f-017c-4adf-9034-71d0a5624020"
[{"id":746,"countryName":"......


But will failed after added -H "X-Requested-With: XMLHttpRequest"

curl "http://localhost:9099/sfa/getrefcountry" -X "POST" -H "Cookie: JSESSIONID=72E583341F34F836CE9D1E791BAA8289; XSRF-TOKEN=8078038f-017c-4adf-9034-71d0a5624020; OAuth_Token_Request_State=45f11140-bc27-4d82-9e06-ac7716150d9b" -H "X-XSRF-TOKEN: 8078038f-017c-4adf-9034-71d0a5624020" -H "X-Requested-With: XMLHttpRequest"

maybe required to add the origin header as well.

curl "http://localhost:9099/sfa/getrefcountry" -X "POST" -H "Cookie: JSESSIONID=4174FC81554467718FC1F68CA393A357; XSRF-TOKEN=9c5dd88b-837b-400a-b083-912cc83aaa9f; OAuth_Token_Request_State=45f11140-bc27-4d82-9e06-ac7716150d9b" -H "X-XSRF-TOKEN: 9c5dd88b-837b-400a-b083-912cc83aaa9f" -H "Origin: http://localhost:9099" -H "X-Requested-With: XMLHttpRequest"






















No comments:

Post a Comment