chevron_left
300 points
5 2 2

When _csrf.token is not tied to a request or a session object, the error "Invalid CSRF Token 'null' was found on the request parameter "_csrf" or header "X-CSRF-TOKEN"" appears. The CSRF token was added to the http-request object in Spring 3.2.6 and Spring Security 3.2.0. The session object and request thread remain the same. However, when the jsp is rendered, all properties are removed, leaving only the attribute.

Explanation #

To understand fully what this error is about we have to understand some terminology about programming. First, we start with CSRF token.

What is CSRF token? #

Cross-site request forgery, or CSRF for short, is a sort of attack in which a website, blog, email, instant messaging, or malicious online application tricks a user's web browser into carrying out undesired actions on a reliable website where the user is currently authorized. The results of a CSRF attack depend on the data made available by the weak application. CSRF attacks are used to force a target system into carrying out malicious operations through the target browser without the target user's awareness at their most basic level. Once the attack has occurred, the victim typically learns about the operation.

The portal server recognizes the wording of the HTTP request and uses the corresponding cookies to confirm that the user (i.e. his browser) is still logged in. The server performs the action and the user may not notice that an action has been performed on their behalf.

An attacker may be able to force an authorized, logged-in user to carry out a crucial operation without their knowledge or consent thanks to the CSRF-type vulnerability. It's analogous to a con artist impersonating a victim's signature on a crucial document. However, because the attacker leaves no evidence behind, the CSRF assault ends up being significantly more successful. Why ? Considering that the fraudulent request originates from the same IP address as the victim's legitimate request and contains all the information. In other words, an attacker might potentially target any program that enables users to send or change data.

Conclusion: For a CSRF attack to work, the victim must visit the target website. Although this aspect seems to complicate the attacker's work, it is not so. Many websites allow users to "log in". This significantly increases the time it takes for a reversal to occur.

The Solution #

Spring application's CSRF (Cross Site Request Forgery) security is turned on by default.

When is CSRF protection appropriate to use? For any request that a browser may process by a regular user, we advise using CSRF protection. You should probably disable CSRF protection if your service will only be utilized by clients that are not browsers.

CSRF stands for Cross-Site Request Forgery. This is an attack that allows end users to perform unwanted actions web applications that they are authenticated into. Spring Boot Security – Enabling CSRF Protection In a previous article, we implemented Spring Boot Security – Password Encryption using Bcrypt.

XML configuration In the old XML configuration (before Spring Security 4), CSRF protection was disabled by default and we could enable it as follows: From Spring Security 4.x – CSRF protection is also enabled by default in the XML config; we can of course always disable it if we need to: 3.3.

The first solution presents a way to turn off CSRF protection while the solution will show you how to make to send a CSRF token on request parameter _csrf.

Solution one

You can disable CSRF protect with the following configuration on Spring Security 3 and above.

Most of the changes in Spring Framework application are related to configurations. This modification will have minimal impact on application code or other custom components. Here's the code snippet. In the function configure, we take the parameter HttpSecurity class and call function csrf() on it and this in turn return the csrf manager with which we can control the status of csrf token. We finally call the function disable() on the csrf() object. As the name says, it disactivates the csrf.

@Configuration
public class RestSecurityConfig extends WebSecurityConfigurerAdapter {
  @Override
  protected void configure(HttpSecurity http) throws Exception {
    http.csrf().disable();
  }
}

Solution two

If you want to keep CSRF protection enabled, you will need to add the CSRF token as hidden field inside the form tag.

You can do it like this:


<form>
  <input type="hidden"  name="${_csrf.parameterName}"   value="${_csrf.token}"/>
</form>

The Conclusion

Thanks for reading on the tutorial all the way to the end. To sum up, Spring application's CSRF (Cross Site Request Forgery) security is turned on by default. Cross-site request forgery, or CSRF for short, is a sort of attack in which a website, blog, email, instant messaging, or malicious online application tricks a user's web browser into carrying out undesired actions on a reliable website where the user is currently authorized. If you run into the error, "Invalid CSRF Token 'null' was found on the request parameter "_csrf", you have to disable CSRF protect which is described in detail in solution one. You have to call the function disable() on the csrf() function coming from the http paratemer which send to configure function. This way the CSRF protection is disable. Otherwise, you can send the CSRF token as part of the request so that it becomes set and no longer says null.

That's it for this tutorial. If you face any issues, don't hesitate to leave a comment.

If you read this far, tweet to the author to show them you care. Tweet a Thanks

More Posts

No supported encrypter found. the cipher and / or key length are invalid. Hussain Zafar - Jun 18
No 'access-control-allow-origin' header is present on the requested resource. Jquery. Hussain Zafar - Jun 6
id3242 the security token could not be authenticated or authorized sadmin - May 15
Detected Resolved Migration not Applied to Database Hussain Zafar - Jun 14
Can't verify csrf token authenticity. Hussain Zafar - Jun 19
In order to allow non-dict objects to be serialized set the safe parameter to false Baribor Saturday - Jul 22
Define the missing method. use "this" to distinguish the local member from the parameter name. James - Jun 1
Failed to load resource: the server responded with a status of 400 (bad request) zhteja - Sep 17
No owin authentication manager is associated with the request Hussain Zafar - Jun 8
Vt-x is disabled in the bios for all cpu modes (verr_vmx_msr_all_vmx_disabled) Ankur Ranpariya - Sep 22
Write a Program to Print First x Terms of the Series 3n+2 which are not Multiples of 4 beekip - Sep 20
An existing connection was forcibly closed by the remote host Minecraft zhteja - Aug 20
The given key was not present in the dictionary. zhteja - Aug 9
The function was not declared in this scope c++ AnkurRanpariyav - Aug 7
The module was expected to contain an assembly manifest zhteja - Jul 7
Statbin requires a continuous x variable the x variable is discrete. perhaps you want stat="count"? Hussain Zafar - Jun 1
Failed to load resource: the server responded with a status of 404 (not found) Ankur Ranpariya - Sep 18
Sdk location not found. define location with sdk.dir in the local.properties Hussain Zafar - Jun 10
The python path in your debug configuration is invalid. Bushra Rubab - Sep 23
The truth value of an array with more than one element is ambiguous. use a.any() or a.all() AAbouelenien - Sep 22