Invalid CSRF token

Question

Level 1

31 points

Invalid CSRF token

When I visit a web site and try to login, I'm getting a message that states, "Invalid CSRF token", and the site won't log me in. I've tried Google and Wikipedia about this and while they give info, that info is way beyond my computer knowledge.

I have determined it seems to be something that has attached itself to my particular input through my Safari app. If I use a different browser, Firefox in this instance, the problem does not happen.

This laptop is a MBP (Retina. 15-inch, Mid 2015), macOS 10.14.4

I also have a MacBook (Retina, 12-inch, Early 2016), macOS10.14.3 that does not have this problem

My next step is to re-install system software but I wanted to get some feedback before I go there.

Does anyone know about this?

MacBook Pro 15", macOS 10.14

Posted on Apr 14, 2019 9:22 AM

Reply

Answer 1

Eric Root

Level 10

684,519 points

Apr 14, 2019 11:22 AM in response to dinhr

Try running this program in your normal user account, then copy and paste the output in a reply. The program was created by etresoft, a frequent contributor. Please use copy and paste as screen shots can be hard to read. Click “Share Report” button in the toolbar, select “Copy Report” and then paste into a reply. This will show what is running on your computer. No personal information is shown. If the log won’t post, try posting it in Pastebin and provide a link in a reply Pastebin

Etrecheck – System Information 10.10 and later

Reply

Answer 2

thegil17

Level 1

9 points

Apr 16, 2019 7:14 AM in response to dinhr

A CSRF or Cross Site Request Forgery Token usually refers to common CSRF Protection methods described below such as STP, hidden html form data added randomly in header using POST command, a session cookie unique to a particular date time access of a URL with a randomized hash or combination of methods ie cookie/stp for client side & Server Side strict origin/referrer/ header policies and safeguards in place along with the overhead to authenticate each uniquely random generated STP & session cookie. CSRF is an attack or browser exploit that is more insidious than XSS (cross site scripting) attacks as it uses the browsers own trust architecture against it, and is vulnerable to CSS, HTML, BBcode image tags in particular, and potential lack of client &/or serverside web hygiene. (Self Destructing Cookies, uMatrix, & NoScript Browser Addons for Firefox can Secure your web experience by erasing all web pages cookies (“trust”) upon closing the tab, thus not allowing the site to “recognize” you next time & log you in or perform some html action that can be exploited. This will limit exposure but requires UMatrix or NoScript Deny by Default Application Boundaries, Tab Containerization, & same origin only policies as well as protecting the header from cross domain exposure on the client Side Irregardless of ServerSide Settings through alteration and limitation of browser behavior & capabilities + use of virtualization based containers to isolate domains and protect & Separate inet from localhost addressing, access, dns, performance of actions. When successful this can compromise the entire PKI by compromising Browser & OS Root cert.

read below excerpt from Wikipedia for details.

HTTP verbs and CSRF

Different HTTP request methods have different levels of susceptibility to CSRF attacks and require different levels of protection due to their different handling by web browsers.

In HTTP GET the CSRF exploitation is trivial, using methods described above, such as a simple hyperlink containing manipulated parameters and automatically loaded by an IMG tag. By the HTTP specification however, GET should be used as a safe method, that is, not significantly changing user's state in the application. Applications using GET for such operations should switch to HTTP POST or use anti-CSRF protection.
HTTP POST has different vulnerability to CSRF, depending on detailed usage scenarios:
- In simplest form of POST with data encoded as a query string(field1=value1&field2=value2) CSRF attack is easily implemented using a simple HTML form and anti-CSRF measures must be applied.
- If data is sent in any other format (JSON, XML) a standard method is to issue a POST request using XMLHttpRequest with CSRF attacks prevented by SOP and CORS; there is a technique to send arbitrary content from a simple HTML form using ENCTYPE attribute; such a fake request can be distinguished from legitimate ones by text/plaincontent type, but if this is not enforced on the server, CSRF can be executed[12][13]
other HTTP methods (PUT, DELETE etc.) can only be issued using XMLHttpRequestwith SOP and CORS and preventing CSRF; these measures however will not be active on websites that explicitly disable them using Access-Control-Allow-Origin: * header

Reply

Answer 3

thegil17

Level 1

9 points

Apr 16, 2019 7:21 AM in response to thegil17

Effects

Severity metrics have been issued for CSRF vulnerabilities that result in remote code execution with root privileges[18]as well as a vulnerability that can compromise a root certificate, which will completely undermine a public key infrastructure.[19]

Limitations

Several things have to happen for cross-site request forgery to succeed:

The attacker must target either a site that doesn't check the referrer header or a victim with a browser or plugin that allows referer spoofing.[citation needed]
The attacker must find a form submission at the target site, or a URL that has side effects, that does something (e.g., transfers money, or changes the victim's e-mail address or password).
The attacker must determine the right values for all the forms or URL inputs; if any of them are required to be secret authentication values or IDs that the attacker can't guess, the attack will most likely fail (unless the attacker is extremely lucky in their guess).
The attacker must lure the victim to a web page with malicious code while the victim is logged into the target site.

The attack is blind: the attacker cannot see what the target website sends back to the victim in response to the forged requests, unless they exploit a cross-site scripting or other bug at the target website. Similarly, the attacker can only target any links or submit any forms that come up after the initial forged request if those subsequent links or forms are similarly predictable. (Multiple targets can be simulated by including multiple images on a page, or by using JavaScript to introduce a delay between clicks.)

Given these constraints, an attacker might have difficulty finding logged-in victims or attackable form submissions.[citation needed] On the other hand, attack attempts are easy to mount and invisible to victims, and application designers are less familiar with and prepared for CSRF attacks than they are for, say, password cracking dictionary attacks.

Prevention

Most CSRF prevention techniques work by embedding additional authentication data into requests that allows the web application to detect requests from unauthorized locations.

Synchronizer token pattern

Synchronizer token pattern (STP) is a technique where a token, secret and unique value for each request, is embedded by the web application in all HTML forms and verified on the server side. The token may be generated by any method that ensures unpredictability and uniqueness (e.g. using a hash chain of random seed). The attacker is thus unable to place a correct token in their requests to authenticat

Reply

Answer 4

dinhr Author

Level 1

31 points

Apr 14, 2019 11:31 AM in response to Eric Root

I'm not understanding your reply. I'm in the Pastebin site but all that's showing is a blank dialog labeled New Paste.

Are you saying to go to a web site I'm having the problem with, get the problem to occur, then copy and paste the result?

Reply

Answer 5

dinhr Author

Level 1

31 points

Apr 14, 2019 12:13 PM in response to dinhr

OK, I've figured out how to get a report. It's too long to paste here. Let's see if I can do a "link". Nope I don't know how to do a link. The following is the top of the report:

EtreCheck version: 5.2 (5029)

Report generated: 2019-04-14 12:49:30

Download EtreCheck from https://etrecheck.com

Runtime: 1:20

Performance: Excellent

Sandbox: Enabled

Full drive access: Disabled

Problem: Other problem

Major Issues: None

Minor Issues:

These issues do not need immediate attention but they may indicate future problems or opportunities for improvement.

Clean up - There are orphan files that could be removed.

Unsigned files - There are unsigned software files installed. They appear to be legitimate but should be reviewed.

32-bit Apps - This machine has 32-bits apps will not work after macOS 10.14 “Mojave”.

Limited drive access - More information may be available with Full Drive Access.

Hardware Information:

MacBook Pro (Retina, 15-inch, Mid 2015)

MacBook Pro Model: MacBookPro11,5

1 2.8 GHz Intel Core i7 (i7-4980HQ) CPU: 4-core

16 GB RAM - Not upgradeable

BANK 0/DIMM0 - 8 GB DDR3 1600 ok

BANK 1/DIMM0 - 8 GB DDR3 1600 ok

Battery: Health = Normal - Cycle count = 21

Reply

Answer 6

dinhr Author

Level 1

31 points

Apr 14, 2019 1:10 PM in response to dinhr

“Mojave”.

Limited drive access - More information may be available with Full Drive Access.

Hardware Information:

MacBook Pro (Retina, 15-inch, Mid 2015)

MacBook Pro Model: MacBookPro11,5

1 2.8 GHz Intel Core i7 (i7-4980HQ) CPU: 4-core

16 GB RAM - Not upgradeable

BANK 0/DIMM0 - 8 GB DDR3 1600 ok

BANK 1/DIMM0 - 8 GB DDR3 1600 ok

Battery: Health = Normal - Cycle count = 21

Video Information:

AMD Radeon R9 M370X - VRAM: 2 GB

Intel Iris Pro - VRAM: 1536 MB

Color LCD 2880 x 1800

Drives:

disk0 - APPLE SSD SM1024G 1.00 TB (Solid State - TRIM: Yes)

Internal PCI 8.0 GT/s x4 Serial ATA

disk0s1 - EFI (MS-DOS FAT32) [EFI] 210 MB

disk0s2 [APFS Container] 1.00 TB

disk1 [APFS Virtual drive] 1.00 TB (Shared by 4 volumes)

disk1s1 - M******************a (APFS) (Shared - 243.67 GB used)

disk1s2 - Preboot (APFS) [APFS Preboot] (Shared)

disk1s3 - Recovery (APFS) [Recovery] (Shared)

disk1s4 - VM (APFS) [APFS VM] (Shared - 1.07 GB used)

disk2 - WD My Passport 0837 500.07 GB

External USB 5 Gbit/s USB

disk2s1 - K****e (Mac OS Extended) 500.07 GB (369.60 GB used)

disk3 - G-DRIVE mobile USB-C 4.00 TB

External USB 5 Gbit/s USB

disk3s1 - EFI (MS-DOS FAT32) [EFI] 210 MB

disk3s2 - B***K (Journaled HFS+) 4.00 TB (1.11 TB used)

Mounted Volumes:

disk1s1 - M******************a 1.00 TB (754.83 GB free)

APFS

Mount point: /

disk1s4 - VM [APFS VM] (Shared - 1.07 GB used)

APFS

Mount point: /private/var/vm

disk2s1 - K****e 500.07 GB (130.47 GB free)

Mac OS Extended

Mount point: /Volumes/K****e

disk3s2 - B***K 4.00 TB (2.89 TB free)

Journaled HFS+

Mount point: /Volumes/B***K

Owners enabled: No

Network:

Interface en6: Thunderbolt Ethernet

Interface en7: AX88772A

Interface fw0: Thunderbolt FireWire

Interface en5: iPhone

Interface en4: iPad

Interface en0: Wi-Fi

802.11 a/b/g/n/ac

Interface en3: Bluetooth PAN

Reply

Answer 7

dinhr Author

Level 1

31 points

Apr 14, 2019 1:14 PM in response to dinhr

Interface bridge0: Thunderbolt Bridge

System Software:

macOS Mojave 10.14.4 (18E226)

Time since boot: About 5 hours

Notifications:

Notifications not available without Full Drive Access.

Security:

Gatekeeper: Enabled

System Integrity Protection: Enabled

Antivirus apps: Avast

Unsigned Files:

Launchd: /Library/LaunchDaemons/com.avast.osx.secureline.init.plist

Executable: /Library/Application Support/AvastSecureLine/hub/init.sh

Details: Exact match found in the whitelist - probably OK

Reply

Answer 8

dinhr Author

Level 1

31 points

Apr 14, 2019 1:21 PM in response to dinhr

Details: Exact match found in the whitelist - probably OK

Launchd: /Library/LaunchDaemons/com.avast.osx.secureline.uninstall.plist

Executable: /Library/Application Support/AvastSecureLine/hub/autouninstall.sh

Details: Exact match found in the whitelist - probably OK

Launchd: /Library/Application Support/AvastSecureLine/hub/launchd/com.avast.osx.secureline.racoonrun.plist

Executable: /Library/Application Support/AvastSecureLine/hub/modules/030_racoonrun.sh backup

Details: Exact match found in the whitelist - probably OK

Launchd: /Library/LaunchAgents/com.paragon-software.facebook.agent.plist

Executable: /Library/Application Support/Paragon Software/Paragon Software Facebook Agent.app/Contents/MacOS/Paragon Software Facebook Agent

Details: Exact match found in the whitelist - probably OK

Launchd: /Library/LaunchDaemons/com.microsoft.office.licensing.helper.plist

Reply

Answer 9

dinhr Author

Level 1

31 points

Apr 14, 2019 1:35 PM in response to dinhr

Executable: /Library/PrivilegedHelperTools/com.microsoft.office.licensing.helper

Details: Exact match found in the whitelist - probably OK

Launchd: ~/Library/LaunchAgents/com.avast.osx.secureline.home.userinit.plist

Executable: ~/Library/Application Support/AvastSecureLine/hub/userinit.sh

Details: Exact match found in the whitelist - probably OK

Launchd: /Library/LaunchDaemons/com.avast.osx.secureline.update.plist

Executable: /Library/Application Support/AvastSecureLine/components/update/update.sh

Details: Exact match found in the whitelist - probably OK

Launchd: /Library/LaunchAgents/com.avast.osx.secureline.userinit.plist

Executable: /Library/Application Support/AvastSecureLine/hub/userinit.sh

Details: Exact match found in the whitelist - probably OK

32-bit Applications:

30 32-bit apps

Kernel Extensions:

/Library/Extensions

TrackballWorks.kext (Kensington Computer Products Group, 1.5.0 - SDK 10.11)

System Launch Agents:

[Not Loaded] 17 Apple tasks

[Loaded] 169 Apple tasks

[Running] 115 Apple tasks

System Launch Daemons:

[Not Loaded] 36 Apple tasks

[Loaded] 184 Apple tasks

[Running] 116 Apple tasks

Reply

Answer 10

Eric Root

Level 10

684,519 points

Apr 14, 2019 1:43 PM in response to dinhr

Post the rest of the report.

I would uninstall Avast. It tends to interfere with the computer's operation while providing minimal to no benefit unless you work with Windows files. Most long time posters recommend not using antivirus software or cleaning software such as CleanMyMac.

Avast

Avast Un-install

Reply

Answer 11

dinhr Author

Level 1

31 points

Apr 14, 2019 2:23 PM in response to dinhr

[Running] 116 Apple tasks

Launch Agents:

[Not Loaded] com.adobe.AAM.Updater-1.0.plist (? ffb65062 - installed 2017-08-21)

[Other] com.adobe.ARMDCHelper.cc24aef4a1b90ed56a725c38014c95072f92651fb65e1bf9c8e43c37a23d420d.plist (Adobe Systems, Inc. - installed 2018-02-13)

[Running] com.adobe.GC.AGM.plist (Adobe Systems, Inc. - installed 2018-12-20)

[Not Loaded] com.adobe.GC.Invoker-1.0.plist (Adobe Systems, Inc. - installed 2018-12-20)

[Running] com.avast.osx.secureline.update-agent.plist (AVAST Software a.s. - installed 2019-03-21)

[Loaded] com.avast.osx.secureline.userinit.plist (? 2fc1004f - installed 2019-03-21)

[Loaded] com.paragon-software.facebook.agent.plist (? 95fb0bd4 - installed 2016-08-29)

Launch Daemons:

[Loaded] com.adobe.ARMDC.Communicator.plist (Adobe Systems, Inc. - installed 2018-02-13)

[Loaded] com.adobe.ARMDC.SMJobBlessHelper.plist (Adobe Systems, Inc. - installed 2018-02-13)

[Loaded] com.adobe.agsservice.plist (Adobe Systems, Inc. - installed 2018-12-20)

[Loaded] com.adobe.fpsaud.plist (Adobe Systems, Inc. - installed 2019-03-26)

[Loaded] com.apple.installer.osmessagetracing.plist (Apple - installed 2019-03-21)

[Loaded] com.avast.osx.secureline.init.plist (? 1bda83b1 - installed 2019-03-21)

[Loaded] com.avast.osx.secureline.uninstall.plist (? ba7a0061 - installed 2019-03-21)

[Loaded] com.avast.osx.secureline.update.plist (? f50a649c - installed 2019-03-21)

[Loaded] com.microsoft.autoupdate.helpertool.plist (Microsoft Corporation - installed 2016-08-03)

[Loaded] com.microsoft.office.licensing.helper.plist (? 6d8cb30e - installed 2016-04-22)

[Loaded] com.microsoft.office.licensingV2.helper.plist (Microsoft Corporation - installed 2016-05-06)

[Other] com.seagate.TBDecorator.plist (? 595582c - installed 2013-10-11)

Reply

Answer 12

dinhr Author

Level 1

31 points

Apr 14, 2019 2:34 PM in response to dinhr

[Other] com.seagate.TBDecorator.plist (? 595582c - installed 2013-10-11)

User Launch Agents:

[Loaded] com.adobe.GC.Invoker-1.0.plist (Adobe Systems, Inc. - installed 2018-01-25)

[Loaded] com.avast.osx.secureline.home.userinit.plist (? 0 - installed 2019-03-21)

User Login Items:

TrackballWorksHelper.app (Kensington Computer Products Group - installed 2018-12-21)

(Application - /Library/PreferencePanes/TrackballWorks.prefPane/Contents/Resources/TrackballWorksHelper.app)

Word-Counter.app (App Store - installed 2018-03-28)

(Application - /Applications/Word-Counter.app)

Internet Plug-ins:

AdobePDFViewerNPAPI: 17.012.20098 (Adobe Systems, Inc. - installed 2019-04-09)

FlashPlayer-10.6: 32.0.0.171 (Adobe Systems, Inc. - installed 2019-04-09)

AdobePDFViewer: 19.010.20099 (Adobe Systems, Inc. - installed 2019-04-09)

Flash Player: 32.0.0.171 (Adobe Systems, Inc. - installed 2019-04-09)

SharePointBrowserPlugin: 14.6.8 (? - installed 2016-09-17)

Audio Plug-ins:

AppleTimeSyncAudioClock: 1.0 (Apple - installed 2019-03-29)

BluetoothAudioPlugIn: 6.0.11 (Apple - installed 2019-03-29)

AirPlay: 2.0 (Apple - installed 2019-03-29)

AppleAVBAudio: 740.1 (Apple - installed 2019-03-29)

BridgeAudioSP: 5.39 (Apple - installed 2019-03-29)

iSightAudio: 7.7.3 (Apple - installed 2019-03-29)

Reply

Answer 13

dinhr Author

Level 1

31 points

Apr 14, 2019 2:54 PM in response to dinhr

iSightAudio: 7.7.3 (Apple - installed 2019-03-29)

3rd Party Preference Panes:

Flash Player (installed 2019-03-26)

TrackballWorks (installed 2018-12-21)

Time Machine:

Time Machine information not available without Full Drive Access.

Performance:

System Load: 1.79 (1 min ago) 1.59 (5 min ago) 1.48 (15 min ago)

Nominal I/O speed: 1.09 MB/s

File system: 18.70 seconds

Write speed: 1486 MB/s

Read speed: 2020 MB/s

CPU Usage Snapshot:

Type Overall

System 2 %

User 4 %

Idle 94 %

Top Processes Snapshot by CPU:

Process (count) CPU (Source - Location)

EtreCheck 28.77 % (App Store)

Other processes 15.34 % (?)

sharingd 0.08 % (Apple)

TrackballWorksHelper 0.07 % (Kensington Computer Products Group)

UserEventAgent 0.06 % (Apple)

Top Processes Snapshot by Memory:

Process (count) RAM usage (Source - Location)

EtreCheck 604 MB (App Store)

Mail 157 MB (Apple)

Finder 145 MB (Apple)

photoanalysisd 138 MB (Apple)

media-indexer 130 MB (Apple)

Top Processes Snapshot by Network Use:

Process Input / Output (Source - Location)

mDNSResponder 6 MB / 760 KB (Apple)

Mail 1 MB / 623 KB (Apple)

AirPlayXPCHelper 957 KB / 334 KB (Apple)

apsd 61 KB / 28 KB (Apple)

netbiosd 48 KB / 18 KB (Apple)

Virtual Memory Information:

Physical RAM: 16 GB

Free RAM: 7.87 GB

Used RAM: 4.69 GB

Cached files: 3.45 GB

Available RAM: 11.31 GB

Swap Used: 0 B

Software Installs (past 30 days):

Install Date Name (Version)

2019-03-29 Numbers (6.0)

2019-03-29 Pages (8.0)

2019-04-05 Antivirus VirusKiller (4.3.8)

2019-04-09 Adobe Flash Player

2019-04-09 Adobe Acrobat Reader DC (19.010.20099)

2019-04-14 EtreCheck (5.2)

Clean up:

/Library/LaunchDaemons/com.seagate.TBDecorator.plist

/Library/Application Support/Seagate/TBLoopDriveParams

Executable not found

Diagnostics Information (past 7 days):

Directory /Library/Logs/DiagnosticReports is not accessible.

Enable Full Drive Access to see more information.

End of report

Reply

Answer 14

thegil17

Level 1

9 points

Apr 16, 2019 7:18 AM in response to thegil17

Other approaches to CSRF

Additionally, while typically described as a static type of attack, CSRF can also be dynamically constructed as part of a payload for a cross-site scripting attack, as demonstrated by the Samy worm, or constructed on the fly from session information leaked via offsite content and sent to a target as a malicious URL. CSRF tokens could also be sent to a client by an attacker due to session fixation or other vulnerabilities, or guessed via a brute-force attack, rendered on a malicious page that generates thousands of failed requests. The attack class of "Dynamic CSRF", or using a per-client payload for session-specific forgery, was described[14]in 2009 by Nathan Hamiel and Shawn Moyer at the BlackHat Briefings,[15]though the taxonomy has yet to gain wider adoption.

A new vector for composing dynamic CSRF attacks was presented by Oren Ofer at a local OWASP chapter meeting on January 2012 – "AJAX Hammer – Dynamic CSRF".

Reply

Answer 15

dinhr Author

Level 1

31 points

Apr 16, 2019 9:15 AM in response to thegil17

Well, thank you for the info. I don't understand even a tenth of what you've written but, what I do understand seems to confirm my original suspicions that something has attached itself to my Safari browser. It seems strange that it only happens to one site, (that I'm aware of, anyway). If I re-install system software will it get rid of this bug?

Reply

Invalid CSRF token

Similar questions