CSRF Token Mismatch owasp zap - csrf

After submitting the post request I am getting response code 419 with the error message "CSRF token mismatch". The application is using XSRF-Token cookie.
Please let me know how to solve this.
thanks in advance

XSRF-Token does not appear to be one of the default tokens ZAP recognizes. So you can simply add it via Tools > Options > Anti-CSRF Tokens.
https://www.zaproxy.org/docs/desktop/ui/dialogs/options/anticsrf/
The same can be done via the API as well: https://www.zaproxy.org/docs/api/#acsrfactionaddoptiontoken

Related

Error 401 Authentication failed. Browser based integrations - to login append '?login-form-required=y' to the url you tried to access

In PostMan I'm trying to authenticate with RestAPIs provided in HPALM Guide (API Reference)
At first for authentication if I run this api "almserver/qcbin/authentication-point/alm-authenticate"
it gives
200 OK
but when I check the authenticated api "almserver/qcbin/rest/is-authenticated"
it gives
401 Authentication failed. Browser based integrations - to login
append '?login-form-required=y' to the url you tried to access.
and if I append this '?login-form-required=y' particular line in the end of the second api I will get html page as response
HP Application Lifecycle Management 12.53
background-color: #eee
whereas we expect this
Could some one please help me with this one?
#Sergi #Macintosh_89 I met the same issue with Manu, i post http://almserver***/qcbin/authentication-point/alm-authenticate, but only LWSSO_COOKIE_KEY return back without QCSession, do u knew why?
Your request to almserver/qcbin/authentication-point/alm-authenticate will return a LWSSO_COOKIE_KEY cookie.
You need to add this cookie to the request to almserver/qcbin/rest/is-authenticated.

OAuthException code 100

I'm getting the error:
{"error":{"message":"Error validating verification code. Please make sure your redirect_uri is identical to the one you used in the OAuth dialog request","type":"OAuthException","code":100,"fbtrace_id":"C0VqQrGq4iM"}
I manually built the login flow with the resulting dialog url:
https://www.facebook.com/dialog/oauth?client_id=970056533030026&auth_type=rerequest&scope=email&display=popup&redirect_uri=https://www.opentable.ie/my/oauth/facebook
On our FB app settings we have:
App Domains has opentable.ie
On Advanced Settings - Valid OAuth redirect URIs we have https://www.opentable.ie/my/oauth/facebook
When I went back to see my logs I saw that redirectUri lost https and is using plain http, that's the only pointer I have.
Any ideas on why we get this error? Thanks guys

Linkedin OAuth2 authorization code error

I´m trying to connect via Linkedin Auth2 from a java web application:
Added my own app in linkedin.
Generate the authorization URL: https://www.linkedin.com/uas/oauth2/authorization?response_type=code&client_id=XXX&scope=r_basicprofile%20r_fullprofile%20r_emailaddress&state=DCEEFWF454Us5dffef424&redirect_uri=http://localhost:9090/springmvc/token.htm
Introduce my login/password for linkedin in the new popup.
Get back successful the request on the redirect_uri previus, and take the authorization code "code"
Generate the accessToken URL
Make a POST with: https://www.linkedin.com/uas/oauth2/accessToken?grant_type=authorization_code&code=YYY&redirect_uri=http://localhost:9090/SpringMVC/token.htm&client_id=XXX&client_secret=ZZZ
Get next error in response: {"error_description":"missing required parameters, includes an invalid parameter value, parameter more than once. : Unable to retrieve access token : appId or redirect uri does not match authorization code or authorization code expired","error":"invalid_request"}
I´ve verified url parameters are correct:
- "code" is the token receive on step 4.
"redirect_uri" is the same URL on step 2 and 4. I added this URL on section "OAuth 2.0 redirect URL" on my APP.
"client_id" and "client_secret" are the "Client API" and "Secret API" on my APP.
Time between first and second request is less than 20 seconds.
The value of your redirect_uri parameter must be URL-encoded, so at 6. do:
https://www.linkedin.com/uas/oauth2/accessToken?grant_type=authorization_code&code=YYY&redirect_uri=http%3A%2F%2Flocalhost%3A9090%2FSpringMVC%2Ftoken.htm&client_id=XXX&client_secret=ZZZ
and it need not be sent as a POST but as a GET.
If You Are Sending a Request For Access Token it must be POST Request
Refer the OAuth Documentation
I actually Copied the Whole URL From My Eclipse Console To URL It is Still Valid
In Your Case The Problem is with URL Encoding As HanZ said .
You Have to Encode Your URL For Post Request.
I too got bugged with this issue for long time. Please keep few things in mind which I did and eventually sorted it out.
Hit the api to get authorization code by using get request.
The authorization code has a life span of about 20 seconds, so its difficult to manually copy the code from the url and make a request for token access. You should do it pro-grammatically.
Make a post request for getting access token.
Most Important: Old linkedin applications that I had created was not working and giving the above error. Create a new linkedin application and try. Doing this worked for me.
I assume that all the other parameters like client_id, secret, redirect_uri are correct.
please try and let us know.
Thanks.

PHPStorm REST Client - Basic Authentication

I have written my own API which requires basic authentication, such as:
user:james
pass:1111
I can call resources using urls such as:
http://api.james.com/myapi/orders/get
I wish to be able to use the REST client in PHPStorm but I cannot work out how to send my authentication details. Does anyone know how to do this? Do you have to setup a Proxy server, or can you pass the authentication somehow in the URI above?
Any help would be appreciated.
Regards
James
For usage Basic Auth you will need send header 'Authorization', for example:
Authorization: Basic amFuc29uQG1haWwucnU6MTIzNDU2
Value of this header you can get from debug console of your browser (firebug in FireFox or developer tools in Chrome). Start GET request from your browser, when you will need authorize - do it. Than open debug console 'network' tab and try this request one more time.
Now you will find in headers new one 'Authorization', that formed by browser when you was authorized.
Just copy content of this header and use it in PhpStorm REST-client.

oauth token for sinatra oauth2-provider

I am new to Sinatra and want to get it working with oauth2-provider gem. I followed instruction https://github.com/songkick/oauth2-provider#readme and looked at example. But after i've got access_token, i can't get information from Oauth endpoint using this. It generate 401 not Unauthorized error. From my application i do request
http://localhost:9292/me?access_token=, i've tried html request as well as json request, but without success.
Anybody faced with this problem ?
Looks like you did your request using HTTP vs HTTPS. Did you try setting Songkick::OAuth2::Provider.enforce_ssl = false for now?