How to fetch and reuse the CSRF token using Postman Rest Client

Question

I am using Postman Rest client for hitting the rest services. I am getting the following error when I try to execute the rest service from Postman client.

HTTP Status 403 - Cross-site request forgery verification failed. Request aborted.

It appears that the rest services are secured by the implementation of CSRF token. Does anybody has any idea about how to fetch the CSRF token and reuse it for future requests?

Answer 1

1) In Chrome/Firefox, open the console by right clicking anywhere and chose "inspect"(for Chrome) or "inspect element"(for Firefox).

2) Select "network" tab. 3) 4)

Do a get request or login first while you see the request made , to get CSRF-TOKEN sent from the server.

5) In the next post request, use the CSRF-TOKEN from the previous request.

Answer 2

There are several ways to protect against CSRF in an application. Depending on which type of protection your services have, you will have to do slightly different things, and it may be relatively difficult.

Probably the most well-known protection is using synchronizer tokens, in which case you will have to download the page first, read the token and pass it back in the subsequent request, basically emulating a real user. As synchronizer tokens are stateful (require server state in the form of a user session), and your usecase is a RESTful service, I suppose this is not the implemented method.

Another protection, more suitable for services can be some variation of double posting. In this case, depending on implementation, you will probably have to send back the same token value as a cookie and a request header, most probably.

Another method the services use may be encrypted tokens, which from your perspective is similar to synchronizer tokens (but stateless).

Yet another (btw much less secure) method may simply be checking the referer and/or the origin header in requests. In this case you just have to add the appropriate request headers.

I recommend you observe with a proxy like Fiddler on Windows or something like ZAP Proxy on Linux (or Windows) what method the service normally uses, what header values and cookie names it requires, etc. You can then make your own requests the right way, sending CSRF tokens as your services expect them.

The easiest way is to hit a GET service first so that we can get the response along with the CSRF token. We can use that CSRF token while sending the POST request again. The CSRF token can be found under the Body of the response in the POSTMAN client.