How django safely bypasses a random CSRF token for AJAX requests.
Django will allow AJAX requests that contain the following header without the need for any CSRF token: X-Requested-With: XMLHttpRequest
See: http://docs.djangoproject.com/en/dev/ref/contrib/csrf/
While its true that an individual user could tamper with their own headers, it is not possible to modify another user's headers in a cross domain attack such as CSRF. See discussion here
Testing?
Intercept a request and remove the X-Requested-With header.
You should get a 403 FORBIDDEN response if the CSRF defense is working correctly.
-Michael Coates - @_mwc
OWASP CSRFGuard actually enhances this strategy by including an additional custom header whose value corresponds to the user's current CSRF prevention token. If an attacker is somehow able to spoof the X-Requested-With header across origins, then they must also somehow obtain or guess the targeted victim's CSRF prevention token as well. I think this provides a much stronger defense. You can check out more at http://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project
ReplyDelete-Eric