Possible CSRF Attack with AJAX Request
66 views
Skip to first unread message
Ahmed Mamdouh
Sep 12, 2022, 3:34:24 AM9/12/22
to user...@magnolia-cms.com
Hello,,
I have a page that tracks an order and returns a json with the result from a database. I created a form on another page and would like to post the tracking number by jquery ajax. I always get a CSRF error. My code is like this:
<script>
var csrf = "${ctx.getAttribute('csrf')!''}";
var mgnlModelExecutionUUID = "${content.@id}";
var trackingNumber = "1234";
var jqxhr = $.post( "track-order.html", {
trackingNumber : trackingNumber ,
csrf:csrf,
mgnlModelExecutionUUID:mgnlModelExecutionUUID, }, function() {
alert( "success" );
})
.fail(function() {
alert( "error" );
})
</script>
The same code works if I try a GET request but with POST I always get a csrf error. I know I can disable the csrf filter but why doesn't it work?
Cheers
Roman Kovařík
Sep 12, 2022, 4:00:07 AM9/12/22
to Magnolia User Mailing List, amam...@gmail.com
Hi,
Is the POST request bound to the same session? Also debugging CsrfCookieTokenFilter might help.
Regards
Roman
Ahmed Mamdouh
Sep 12, 2022, 12:09:13 PM9/12/22
to Magnolia User Mailing List, roman....@magnolia-cms.com, Ahmed Mamdouh
Hello,
Thank you for your reply. I am not sure how to verify that.
The browser devtools shows the post request has session cookies. What I noticed though is that the csrf in the cookie is different from the csrf created with the ctx template function.
Regards
Ahmed Mamdouh
Sep 12, 2022, 12:37:29 PM9/12/22
to Magnolia User Mailing List, Ahmed Mamdouh, roman....@magnolia-cms.com
Update.
It seems this a general issue, even on the contact form in the travel demo website. Not specific to my case.
Any ideas where to look or what might be the cause?
Thanks
Ahmed Mamdouh
Sep 12, 2022, 5:50:33 PM9/12/22
to Magnolia User Mailing List, Ahmed Mamdouh, roman....@magnolia-cms.com
I restarted the server and it worked. Sorry for bothering.
Reply all
Reply to author
Forward
0 new messages