Monday, December 8, 2014

Re: POSTing data to a django view from a stand alone script with CSRF

On Mon, Dec 8, 2014 at 11:44 AM, Carl Meyer <carl@oddbird.net> wrote:
> Hi Larry,
>
> On 12/08/2014 07:14 AM, Larry Martell wrote:
>> On Sat, Dec 6, 2014 at 1:41 AM, James Schneider <jrschneider83@gmail.com> wrote:
>>> Check out Collin's email from earlier, it has an example using curl but you
>>> should be able to adapt your web request with the cookie and POST values via
>>> the python script. The cookie and POST values for the CSRF token can be
>>> anything, they just need to match.
>>>
>>> https://groups.google.com/d/msgid/django-users/fb6e54a8-c9e7-45f7-882f-bc05c8ee90d2%40googlegroups.com?utm_medium=email&utm_source=footer
>>
>> Thanks. This is very simple. So simple I didn't even think of this.
>> But then can't anyone override the CSRF protection very easily?
>
> This is explained in the link to a previous thread that I posted above.
>
> The CSRF protection works because malicious JS can't control the value
> of the CSRF cookie submitted by your browser.

Right, but anyone can write a script to bypass the CSRF protection. I
was surprised that it would be so easy to do that. I guess that's not
what CSRF was designed to protect against.

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscribe@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at http://groups.google.com/group/django-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/CACwCsY6DRWCohZcPWcNP9%2B_0CCzk4J1EZi77POPo1ttwBYvd1w%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

No comments:

Post a Comment