We Keep Coding

CSRF-attack using Django

I'm working on a Django project and I can make a CSRF-attack from an external url or file. How I can block it?
The attack consist:
I create a file with this content:
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://XXXXXX.com/YYYYY/AAAAAA/LLLLLL">
<input type="submit" value="Submit request" />
</form>
</body>
</html>
I login on my page
I open the file in the same browser
Submit the button
The request is accepted and the action is executed.
Thanks for everything :)
Solved
django.middleware.csrf.CsrfViewMiddleware does not provide csrf protection if the request is GET
# Assume that anything not defined as 'safe' by RFC7231 needs protection
if request.method not in ('GET', 'HEAD', 'OPTIONS', 'TRACE'):
if getattr(request, '_dont_enforce_csrf_checks', False):
# Mechanism to turn off CSRF checks for test suite.
# It comes after the creation of CSRF cookies, so that
# everything else continues to work exactly the same
# (e.g. cookies are sent, etc.), but before any
# branches that call reject().
return self._accept(request)

Change your method to post and add csrf token
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://XXXXXX.com/YYYYY/AAAAAA/LLLLLL" method="post">
{% csrf_token %}
<input type="submit" value="Submit request" />
</form>
</body>
</html>
and handle your view inside :
if request.method == 'POST':
# your logic here
Make sure that 'django.middleware.csrf.CsrfViewMiddleware' should come before any view middleware that assume that CSRF attacks have been dealt with.

django parameter via get not working while forming direct url

Base URL:
path('api/product/',
include(('store.urls', 'store'),
namespace='api-product')),
Store URL:
path('invoice-pdf-get/',
invoice.InvoiceToPdf.as_view(),
name='invoice-pdf-get'),
HTML:
<html>
<body>
<form method="get" action="{% url 'api-product:invoice-pdf-get' %}?R={{ invoice.invoice_unique_number }}">
<input type="submit" value="Generate PDF">
</form>
</body>
</html>
When I hit the button, I get the url in browser as:
http://localhost:8000/api/product/invoice-pdf-get/?
Where as expecting:
http://localhost:8000/api/product/invoice-pdf-get/?invoice_number=SOMEKEY
Though if I submit a hidden type input via form, I get the expected result but I was reading: Daniel Roseman SO answer. to pass parameter via GET.
Though inspect shows the URL (see image) but why am I not getting expected result?

When a form is submitted via GET, the values in the form are sent as the querystring. This overrides any querystring in the action URL. See this SO answer for example.
You should put your value as a hidden input in the form itself.
<form method="get" action="{% url 'api-product:invoice-pdf-get' %}">
<input type="hidden" name="R" value="{{ invoice.invoice_unique_number }}">
<input type="submit" value="Generate PDF">
</form>

Stuck using SAML with google

I have been tasked with finding out how to integrate SAML single log in with an existing application. And Im finding it MORE than difficult to find answers past setting up an Identity Provider.
For a first pass attempt I have set up Google G-suite SAML app...
I have the information ( entityId, ACS url, IDP Metadata xml )
I have set up a URL for a test application, and I'm trying to find ANY information on what to write... I can find NO code samples...Of course I can find other service providers "implementation" samples, but that doesn't help me, as my app will be the service provider.
ANY Help on this, how to code a 'log in' button for google SAML App.
Here is the code Im trying - it's in coldfusion, but you'll get the gist - response is status code 400
<cfsavecontent variable="req">
<cfoutput>
<samlp:AuthnRequest
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="!!!!!GENERATEDUNIQUEREQUESTID!!!!!"
Version="2.0"
ProviderName="SP test"
IssueInstant="2014-07-16T23:52:45Z"
Destination="https://CLIENTSITE.MYDOMAIN.com/samlLogin"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
AssertionConsumerServiceURL="https://saml.MYDOMAIN.com/acs/process">
<saml:Issuer>https://saml.MYDOMAIN.com/sp/entityId</saml:Issuer>
<samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" AllowCreate="true"/>
<samlp:RequestedAuthnContext Comparison="exact">
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
</samlp:RequestedAuthnContext>
</samlp:AuthnRequest>
</cfoutput>
</cfsavecontent>
<html>
<head>
</head>
<body>
<cfoutput>
<div>
<form id="login-google" action="https://accounts.google.com/o/saml2/idp?idpid=!!!!!IDCODE!!!!!" method="post">
<input type="hidden" name="SAMLResponse" value="#toBase64( trim( req ), 'utf-8' )#" />
<input type="submit" value="Login" />
</form>
</div>
</cfoutput>
</body>
</html>

How to send data from django template to views method in post request or in a way data is not visible in the URL

I have a django template which has multiple <a> tags.
<a class="label label-success" href="get_status/?token={{book.token}}">Update</a>
On click of it, a method from views is called where I can access the token from the url as
tkn = request.GET.get('token')
But now I want not to send the token in the url.
I searched for this and get to know about forms but I did not clearly understand them. Can anyone please help here.

For future ref: I created a form and added a hidden input field in it.
on click of submit button it will send the token value.
<form action="get_Status/" method="post">
{% csrf_token %}
{{ form }}
<input type="hidden" name="book_token" value="{{book.token}}">
<input type="submit" class="submit_btn btn label-success" value="Update" />
</form>
Ans in the views.py
book_token=request.POST.get("book_token"," ")

You can use the basic HTML form concept here.
Please check the link:
How to submit a form with JavaScript by clicking a link?
Use javascript/Jquery to submit the form.
Insert the token value in a hidden field and use form to submit it to views.
Then in the views,you can get the value as :request.POST['token']

How I can show PayPal donators list?

I added a PayPal Donate button on my site, with that code
<form action="https://www.paypal.com/cgi-bin/webscr" method="post">
<input type="hidden" name="business" value="pro-email#gmail.com">
<input type="hidden" name="cmd" value="_donations">
<input type="hidden" name="item_name" value="Donation">
<input type="hidden" name="item_number" value="Donation">
<select name="amount"><option value="2.00">$2.00</option><option value="5.00">$5.00</option><option value="10.00">$10.00</option></select>
<input type="hidden" name="currency_code" value="EUR">
<input type="image" name="submit" border="0" src="https://www.paypal.com/en_US/i/btn/btn_donate_LG.gif" alt="PayPal - The safer, easier way to pay online">
</form>
I want add and show Donators names or emails with the $$ amount on list on my website after then when someone pays. How can i do this?

I would set something like up using PayPal Instant Payment Notification (IPN).
It will automatically POST data about transactions to a listener script you have on your server. That script can receive the data and load it into a database table called "donors" or whatever you want to call it.
Then on your site you can simply pull the data from the donors table and display it accordingly.
Since you're using WordPress I'd recommend taking a look at this PayPal IPN for WordPress plugin. It's free and it will get you up and running with IPN very quickly. It logs all of the IPN data in WordPress and allows you to easily extend the plugin using a number of hooks to trigger events based on different IPN types or payment status.