发表新帖
发表新帖

How to fetch and reuse the CSRF token using Postman Rest Client

前端 未结
关注
2 1548
醉话见心
醉话见心 2021-02-06 15:21

I am using Postman Rest client for hitting the rest services. I am getting the following error when I try to execute the rest service from Postman client.

HTTP S
相关标签:
2条回答
  • 无人共我
    2021-02-06 16:03

    There are several ways to protect against CSRF in an application. Depending on which type of protection your services have, you will have to do slightly different things, and it may be relatively difficult.

    Probably the most well-known protection is using synchronizer tokens, in which case you will have to download the page first, read the token and pass it back in the subsequent request, basically emulating a real user. As synchronizer tokens are stateful (require server state in the form of a user session), and your usecase is a RESTful service, I suppose this is not the implemented method.

    Another protection, more suitable for services can be some variation of double posting. In this case, depending on implementation, you will probably have to send back the same token value as a cookie and a request header, most probably.

    Another method the services use may be encrypted tokens, which from your perspective is similar to synchronizer tokens (but stateless).

    Yet another (btw much less secure) method may simply be checking the referer and/or the origin header in requests. In this case you just have to add the appropriate request headers.

    I recommend you observe with a proxy like Fiddler on Windows or something like ZAP Proxy on Linux (or Windows) what method the service normally uses, what header values and cookie names it requires, etc. You can then make your own requests the right way, sending CSRF tokens as your services expect them.

    The easiest way is to hit a GET service first so that we can get the response along with the CSRF token. We can use that CSRF token while sending the POST request again. The CSRF token can be found under the Body of the response in the POSTMAN client.

    0 讨论(0)
  • 无人共我
    2021-02-06 16:13

    1) In Chrome/Firefox, open the console by right clicking anywhere and chose "inspect"(for Chrome) or "inspect element"(for Firefox).

    2) Select "network" tab. 3) 4)

    Do a get request or login first while you see the request made , to get CSRF-TOKEN sent from the server.

    5) In the next post request, use the CSRF-TOKEN from the previous request.

    0 讨论(0)
 看不清?
提交回复
热议问题