I'm currently trying to run tests on a django web app, but the csrf token is giving me problems..
I read in a couple of places that I need to use the regex extractor to save the token that is generated, but it didn't work.
I further investigated and I saw that I needed to use a dynamic cookie value, the value is in a cookie named:
"csrftoken"
So I tried to use ${COOKIE_csrftoken} but it didn't work.
what should I do in order to use that value of the cookie dynamically?
Try showing in your question where the CSRF Token is located.
If in cookie, then ${COOKIE_csrftoken} will contain it only if you set in user.properties:
CookieManager.save.cookies=true
CookieManager.check.cookies=true
If in response (header or body) then check:
http://jmeter.apache.org/usermanual/component_reference.html#CSS/JQuery_Extractor
http://jmeter.apache.org/usermanual/component_reference.html#Regular_Expression_Extractor
You say you tried them, show how you did it.
How to Load Test CSRF-Protected Web Sites guide has demonstration on how CSRF protection can be bypassed for Django web application for all main post processors (RegEx, CSS, Xpath)
Hope this helps
Related
In Django world, CSRF token is generated in a way that doesn't involve any information known only to the server. It's perfectly possible to generate a valid CSRF token in javascript - Django will happily accept it.
In particular, one could have a piece of javascript that generates valid CSRF token and sets it as a cookie (and it will work fine because of the same origin).
Are there any security related drawbacks of doing that? The only thing I can think of is that such cookie cannot have the http-only flag set (for obvious reasons).
The short answer is No
CSRF is a solution to restrict CSRF attacks. So in the server, a code is generated (and signed) to check is user using built-in js codes or not. for example, a user can call a function without CSRF protection in the browser console or with a browser extension or with curl without any browser, in this condition, you cannot understand is user knows this function call or not!
On the other side, you want to make a new CSRFTOKEN and send it to the server with ajax and this service cannot protect with CSRF. So the hackers can use this ajax call for CSRF forgery! And the hacker can find your CSRF maker code in your js libraries.
For your Idea, you can use some user info and save it in session info such as use-agent, client-IP, and ...
I'm building an application with django , Drf and currently using vanilla JS as Frontend for now.
I searched almost all through web on different use case for authentication on the web and I found out different links but these links seem to always favour the session authentication and token authentication.
Using Django helps us with the session authentication as default so I decided to study the auth process using a token auth.
While doing this, I initially used the localstorage as a store for my tokens gotten from the backend response after user authenticates, But for some reasons which are valid , most devs/engineers advise against using the localstorage as it prones one to xss attacks..
So I decided to implement the httponly cookie method, but I haven't seen a practical use of this done on Django, I've seen theories on implementing all these but haven't seen someone done this..
Please how can I use the httponly cookie with my token stored as a cookie with DJANGO
EDIT
I know a httponly cookie does not allow JavaScript to access a cookie, so I decided to do this.
Django sends the cookie httponly with the token as the cookie
User makes a request to the backend
server gets the token from the cookie sent as a request from the backend.
4)"where the problem now comes" I can't set the token as an header in Django, I tried using the request.headers['Autho...] = Token ....
But that doesn't allow item assignment..
So if my logic is correct this is where I'm stucked
EDIT So this time, I am now able to add a header from the server , using request.META to pass an Authorization key with the Token .... Value, that seems to work fine instead of having to use request.headers for passing an assignment..
But something happened which shocked me, in as much as I'm able to change or add an authorization token from the server , the view still gives me an error, much like I never passed a token at all.....
It's like after the whole efforts and everything nothing still changes, except if it's requested from the client side 😢.
Guess I will have to stick with localstorage for now, but still research more or wait for answers .
I've done the Authentication with token using httponly cookie..
I recalled when I asked questions and some loving guys from here helped tho, we couldn't see a straight off answer as we had to research and think as well...
The steps I used was this.
Django takes in user credentials
Django authenticate that credentials
a token is exchanged for that data
we set the token to a cookie using
set_cookie(.... , httponly=True)
** Then it was now time for the real workout .
I created a middleware which will be responsible for setting the token to an Authorization key in header dict.. instead of allowing the client to do this.
---- The client couldn't handle this coz it was now a httponly flag which will prevent js from accessing it as the purpose of using httponly was for this to prevent xss attacks when tokens/cookies are normally stored in a browser storage
we then handle the middleware to our taste, as in mine I tried making sure it work for only some views and not all views (will be planning on making a custom decorator for it)
then last was to 🤔🤔 we'll have fun and smile at seeing me create something as such without a previous tutorial...
The GitHub repo link https://github.com/HarryAustin/tweeter-DrfTest-httonlycookie
How can I setup PAW to work with Facebook locally for development? Or even at all for that matter?
I have a node.js backend that I'm setting up with Facebook Auth. Every one of my routes needs the user to be logged in. I have two endpoints related to FB Auth. localhost:3000/api/v1/loginFB and localhost:3000/api/v1/callbackFB. Both of these work great in a web browser.
loginFB simply returns this string... https://www.facebook.com/dialog/oauth?client_id=523534457345&redirect_uri=https://localhost:3000/api/v1/callbackFB&scope=email,public_profile,user_friends.
When I call that URI in a browser, it returns a code=blahblah which my callbackFB endpoint uses to fire off another request to get the access token. All good.
So now in PAW I'm confused by the difference between the request URI and the Authorization URL text field? Should I use the loginFB URI for my request URI? And then https://www.facebook.com/dialog/oauth in the Authorization URL textfield?
Basically what's happening is that when I click Get Access Token, it returns the code but my callbackFB endpoint 500's by saying "This authorization code has been used." The code that it's getting returned is definitely different each time I Get Access Token.
This is where I'm at with this thing (Client ID and Client Secret are actually my App ID and App Secret from fb's dev management site, and the Access Token URL is actually set to https://graph.facebook.com/v2.3/oauth/access_token which I'm 99% sure is the correct URI):
This is the error I get when I click Get Access Token button:
It would be awesome to get some advice from anyone with experience with this issue. Thanks.
Re: #MichaMazaheri
tl;dr Fixed in version 2.2.2
Sorry for the super late follow-up. We actually fix this exact issue in Paw 2.2.2, which is already released on our website, and pending review for the Mac App Store. (It was some JSON vs. Form URL-Encoded parsing issue). Thanks for reporting.
Given:
A default-configured django service, and;
A default-configured django rest framework:
How do I log in?
By "default-configured", I mean that I followed the suggested tutorials of both websites.
However, neither django nor the django rest framework discusses how to use the authentication system as a user. They often seem to discuss authentication from the point of view of the python code running within the django framework.
Where can I read concise, clear documentation that tells me how the user requests the website with correct authentication?
I know that my DEFAULT_PERMISSION_CLASSES in 'REST_FRAMEWORK' is set to: rest_framework.permissions.DjangoModelPermissionsOrAnonReadOnly
Which implies that I am probably using whatever authentication is set in the django webservice by default.
And I know that my django instance has "Authenticationmiddleware" and "CsrfViewMiddleware" and the like, whatever they mean. (Ok, CSRF is easy to google, but that's besides the point)
The relevant django documentation seems to be https://docs.djangoproject.com/en/1.5/topics/auth/default/
However, that doesn't tell me how to actually log INTO the website so that I can POST some data.
Where can I find simple, concise instructions that tell me how to:
GET some data as a particular user, and.
POST some data as a particular user.
In the mean time, I will continue perusing the documentation.
So far I have attempted to do:
Obtain the csrf cookie by using GET /api-auth/login/
Perform the login by using POST /api-auth/login/ and providing the cookie obtained in the previous step.
However, Django still detects forgery.
Here is how to do it:
django-rest-framework provides a login page for you if you follow the documentation at http://django-rest-framework.org/
django by default, at least in version 1.5, uses CSRF tokens for security.
In order to login, you need to:
Obtain the cookies by visiting the login page, at /api-auth/login/, including the csrftoken and sessionid. This will be something like: csrftoken=123411231234123; sessionid=143212341234123412
Send the login page as a http POST using the above cookies, and setting the POST as a form with username, password, and csrfmiddlewaretoken as the form elements.
** The value of the csrfmiddleware should be that of the csrftoken value.
So, to re-iterate, the following must be set:
All the original cookies must be set in the POST headers.
The username in the POST form.
The password in the POST form.
The csrfmiddlewaretoken in the POST form.
Please VOTE TO CLOSE instead of downvoting. I can't delete the question now that there are answers for it.
I've been playing with JMeter a few days now and I'm starting to get into the steeper part of the learning curve it seems. I've added a login request (i had to put it in a Loop Controller in the Thread Group). I then have a cookie Manager followed by two requests that are made by the browser (according to fiddler) after logging in. These next two requests require a cookie though and they don't seem to be working right now. I've set the Cookie Manager to "compatibility" for Cookie Policy. Then I look at the view results tree and I see that the two requests after login are failing and in the Request tab I see "[no cookies]".
Rather perplexing. Here's a screenshot.
i've modified my login request a bit:
however the next request still fails with a "not logged in" and "forbidden" message:
Not sure as i don't have full test plan but your login request seems to have failed because you get a redirect from http to https in tree result.
As you can see in tree you have 2 samples inside
Login one with http then one i http.
I suggest if you are a beginer to read this :
http://jmeter.apache.org/usermanual/jmeter_proxy_step_by_step.pdf
It will help you build easily yoyr test plan.
I you don't succeed with proxy then I suggest you remove loop controller and test with only one iteration to see what's happening.
You can click on sampler in tree result and select request tab.
Check that your login request is using https, it's in scheme of http sampler.
If it's a redirect that you cannot anticipate, then disable follow redirect and with a regexp post processor:
http://jmeter.apache.org/usermanual/component_reference.html#Regular_Expression_Extractor
extract the url from the redirect and submit it with login and password in next http sampler.
Regards
I had to learn a little bit more about the requests being made to the system in order for this to work. Instead of a call to www.server.com/login, i made a request to www.server.com/sessions.json and provided a json file with username and password. doint this set the cookie and the cookie manager took over. Then without modifying the other two requests, everything was honky dory.
Based on the images that you have posted, I found the error.
Cookie manager should be under the scope "Test plan". You have created a Cookie manager with the scope HTTP request.
Please leave the HTTP Cookie Manager with the standard settings. It should work.
enter image description here
For more details refer to the below JMeter Documentation
http://jmeter.apache.org/usermanual/component_reference.html#HTTP_Cookie_Manager