Possible CSRF Attack with AJAX Request

18 views
Skip to first unread message

Ahmed Mamdouh

unread,
Sep 12, 2022, 3:34:24 AMSep 12
to user...@magnolia-cms.com

Hello,,

I have a page that tracks an order and returns a json with the result from a database. I created a form on another page and would like to post the tracking number by jquery ajax. I always get a CSRF error. My code is like this:

<script>
var csrf = "${ctx.getAttribute('csrf')!''}";
var mgnlModelExecutionUUID = "${content.@id}";
var trackingNumber = "1234";

var jqxhr = $.post( "track-order.html", {
trackingNumber : trackingNumber , 
csrf:csrf, 
mgnlModelExecutionUUID:mgnlModelExecutionUUID, }, function() {
  alert( "success" );
})
  .fail(function() {
    alert( "error" );
  })
</script>

The same code works if I try a GET request but with POST I always get a csrf error. I know I can disable the csrf filter but why doesn't it work?


Cheers

Roman Kovařík

unread,
Sep 12, 2022, 4:00:07 AMSep 12
to Magnolia User Mailing List, amam...@gmail.com
Hi,

Is the POST request bound to the same session? Also debugging CsrfCookieTokenFilter might help.

Regards
Roman

Ahmed Mamdouh

unread,
Sep 12, 2022, 12:09:13 PMSep 12
to Magnolia User Mailing List, roman....@magnolia-cms.com, Ahmed Mamdouh
Hello,
Thank you for your reply. I am not sure how to verify that.

The browser devtools shows the post request has session cookies. What I noticed though is that the csrf in the cookie is different from the csrf created with the ctx template function.

Regards

Screen Shot 09-12-22 at 10.37 AM 001.PNG
Screen Shot 09-12-22 at 10.37 AM.PNG

Ahmed Mamdouh

unread,
Sep 12, 2022, 12:37:29 PMSep 12
to Magnolia User Mailing List, Ahmed Mamdouh, roman....@magnolia-cms.com
Update.
It seems this a general issue, even on the contact form in the travel demo website. Not specific to my case.
Any ideas where to look or what might be the cause?
Thanks

Ahmed Mamdouh

unread,
Sep 12, 2022, 5:50:33 PMSep 12
to Magnolia User Mailing List, Ahmed Mamdouh, roman....@magnolia-cms.com
I restarted the server and it worked. Sorry for bothering.
Reply all
Reply to author
Forward
0 new messages