如何使用 Postman Rest Client 获取和重用 CSRF 令牌

本文介绍了如何使用 Postman Rest Client 获取和重用 CSRF 令牌的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！ 问题描述

我正在使用 Postman Rest 客户端来访问其他服务.当我尝试从 Postman 客户端执行 rest 服务时出现以下错误.

HTTP 状态 403 - 跨站请求伪造验证失败.请求中止.

看来，其余服务通过 CSRF 令牌的实现得到保护.有人知道如何获取 CSRF 令牌并将其重用于未来的请求吗?

解决方案

有几种方法可以防止应用程序中的 CSRF.根据您的服务所具有的保护类型，您需要做的事情略有不同，而且可能相对困难.

可能最著名的保护是

I am using Postman Rest client for hitting the rest services. I am getting the following error when I try to execute the rest service from Postman client.

HTTP Status 403 - Cross-site request forgery verification failed. Request aborted.

It appears that the rest services are secured by the implementation of CSRF token. Does anybody has any idea about how to fetch the CSRF token and reuse it for future requests?

解决方案

There are several ways to protect against CSRF in an application. Depending on which type of protection your services have, you will have to do slightly different things, and it may be relatively difficult.

Probably the most well-known protection is using synchronizer tokens, in which case you will have to download the page first, read the token and pass it back in the subsequent request, basically emulating a real user. As synchronizer tokens are stateful (require server state in the form of a user session), and your usecase is a RESTful service, I suppose this is not the implemented method.

Another protection, more suitable for services can be some variation of double posting. In this case, depending on implementation, you will probably have to send back the same token value as a cookie and a request header, most probably.

Another method the services use may be encrypted tokens, which from your perspective is similar to synchronizer tokens (but stateless).

Yet another (btw much less secure) method may simply be checking the referer and/or the origin header in requests. In this case you just have to add the appropriate request headers.

I recommend you observe with a proxy like Fiddler on Windows or something like ZAP Proxy on Linux (or Windows) what method the service normally uses, what header values and cookie names it requires, etc. You can then make your own requests the right way, sending CSRF tokens as your services expect them.

The easiest way is to hit a GET service first so that we can get the response along with the CSRF token. We can use that CSRF token while sending the POST request again. The CSRF token can be found under the Body of the response in the POSTMAN client.