Thanks for your previous help. I'm running into another issue. In our code we have various iFrames that are being included depending on where the user is. Here is an example:
As I'm slowly starting to understand what's going on, I made this addition:
function addToIframe(paramName,csrfId){
var nodes = document.getElementsByTagName('iframe');
for (var i = 0; i < nodes.length; i++) {
var append = "&" + paramName + "=" + csrfId;
var matched = nodes[i].src.match(/php/);
if (matched){
nodes[i].src += append;
}
}
}
It works until the iframe resubmits, at which time I get this which I'm at a loss to figure:
First: The injected script is only executed when loading the HTML page (same within an iframe). A far as I know, it is also possible to register functions to DOM tree changes. I guess such an approach could be used to add the id to HTML nodes which are loaded after the initial script execution. But be aware, that this kind of JS may have impact to the performance (JS processing within the browser).
Second: You may add HTML nodes and their attributes to the provided csrf.js script if you need. The "types" array is intended to be used for this.
vartypes=[["a","href"]];
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
But when I execute the form (post-submit) of the iFrame it is not executing the csrf.js again. When clicking on the submit-button it is regenerating the page inside the iframe, but the js is not parsing the DOM.
Any help is apreciated
Best,
Johannes
Last edit: Johannes 2014-07-17
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Thanks for your previous help. I'm running into another issue. In our code we have various iFrames that are being included depending on where the user is. Here is an example:
The iframe, when loaded as part of the page, doesn't get the csrfpId. Any suggestions for this scenario?
Regards,
-dave hojo
I can't imagine why this happens...
As I'm slowly starting to understand what's going on, I made this addition:
function addToIframe(paramName,csrfId){
var nodes = document.getElementsByTagName('iframe');
for (var i = 0; i < nodes.length; i++) {
var append = "&" + paramName + "=" + csrfId;
var matched = nodes[i].src.match(/php/);
if (matched){
nodes[i].src += append;
}
}
}
It works until the iframe resubmits, at which time I get this which I'm at a loss to figure:
error_log:
[Tue Jul 01 23:06:37 2014] [error] [client 172.16.130.18] mod_csrf(020): request denied, no 'csrfpId' parameter in request, action=deny, id=-, referer: http://.../../device_ping_downs.php?GID=kh6tf5vikms8mmjv2223nr7k90&csrfpId=9kpxJBXG5m9Rk6WHUFgbMwf5Iczo24v7MioUy5sAF-XPlNz9drulUH9cpktnxj4t
access_log:
172.16.130.18 - - [01/Jul/2014:23:06:37 -0400] "GET /../device_ping_downs.php?GID=kh6tf5vikms8mmjv2223nr7k90 HTTP/1.1" 403 330 "http://.../../device_ping_downs.php?GID=kh6tf5vikms8mmjv2223nr7k90&csrfpId=9kpxJBXG5m9Rk6WHUFgbMwf5Iczo24v7MioUy5sAF-XPlNz9drulUH9cpktnxj4t" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36"
My only guess is that after the first time device_ping_downs.php ran, the server wanted a new csrfpId for the subsequent reload?
access_log
First: The injected script is only executed when loading the HTML page (same within an iframe). A far as I know, it is also possible to register functions to DOM tree changes. I guess such an approach could be used to add the id to HTML nodes which are loaded after the initial script execution. But be aware, that this kind of JS may have impact to the performance (JS processing within the browser).
Second: You may add HTML nodes and their attributes to the provided csrf.js script if you need. The "types" array is intended to be used for this.
Thanks for the head up. I'll see about registering the script in the iframe and leveraging the types array.
Hi,
I extended the types array and it is injecting fine on first execution:
var types =
["a", "href" ,
["iframe", "src" ]
];
But when I execute the form (post-submit) of the iFrame it is not executing the csrf.js again. When clicking on the submit-button it is regenerating the page inside the iframe, but the js is not parsing the DOM.
Any help is apreciated
Best,
Johannes
Last edit: Johannes 2014-07-17