CSRF_NONCE Validation

MFT has enhanced the security of the JSONDIRTREE by including checking for a CSRF nonce. This check protects jsondirtree requests against CSRF attacks by including a CSRF token, referred to as CSRF_NONCE, on each request.

Here is how this works: The first jsondirtree request must be executed without any parameters. This request does not require a CSRF_NONCE and returns a CSRF_NONCE that must be used in the next jsondirtree request.

For example:

https://localhost:8443/cfcc/control?view=view/filetransfer/jsondirtree.jsp

This returns a response like this:

{"vmgrname":"null","deldir":"N","errmsg":"\"Unknown action: null\"","changemode":"","delfile":"N","readfid":"","token":"-8923610393526332683","rc":1,"path":"\/","writefid":"","rename":"N","
action":null,"create":"N","csrftoken":"&org.apache.catalina.filters.CSRF_NONCE=0BC0207D47896DBF5EEA627EEA716193","currentmode":"","currentcrlf":""}

Note: The CSRF_NONCE parameter is highlighted in bold. This parameter is the CSRF_NONCE that must be used on the next jsondirtree request.

https://localhost:8443/cfcc/control?view=view/filetransfer/jsondirtree.jsp&action=gettree&path=/&org.apache.catalina.filters.CSRF_NONCE=0BC0207D47896DBF5EEA627EEA716193

Each jsondirtree request returns a CSRF_NONCE. The CSRF_NONCE must be included in the URL of the next jsondirtree call in the format: &org.apache.catalina.filters.CSRF_NONCE=nonceReturnedOnLastCall

Contents

Index

Search Results

CSRF_NONCE Validation