Menu
I'm going over some source code and trying to figure out where _csrf came from. As far as I can guess, it looks like an implicit EL object. Maybe related to authentication and spring security.
The below is the code that contains _csrf.
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}" />
What does ${_csrf} do? Is this an implicit EL object?
930
A CSRF token is a secure random token (e.g., synchronizer token or challenge token) that is used to prevent CSRF attacks. The token needs to be unique per user session and should be of large random value to make it difficult to guess. A CSRF secure application assigns a unique CSRF token for every user session.
A CSRF Token is a secret, unique and unpredictable value a server-side application generates in order to protect CSRF vulnerable resources. The tokens are generated and submitted by the server-side application in a subsequent HTTP request made by the client.
To protect MVC applications, Spring adds a CSRF token to each generated view. This token must be submitted to the server on every HTTP request that modifies state (PATCH, POST, PUT and DELETE — not GET). This protects our application against CSRF attacks since an attacker can't get this token from their own page.
You can obtain the CSRF using the request attribute named _csrf as outlined in the reference. To add the CSRF to an HTML page, you will need to use JavaScript to obtain the token that needs to be included in the requests.
As described in the documentation, the _csrf variable is provided by Spring Security. A better approach in JSP is to use the csrfInput tag; Thymeleaf includes this automatically and doesn't require including it at all.
88
Cross-site request forgery, also known as one-click attack or session riding and abbreviated as CSRF (sometimes pronounced sea-surf) or XSRF, is a type of malicious exploit of a website where unauthorized commands are transmitted from a user that the web application trusts.
This input protects form from csrf attacks by adding a special csrf token to all of your page requests
Check this out: https://en.wikipedia.org/wiki/Cross-site_request_forgery https://www.baeldung.com/spring-security-csrf
24
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
