Forbidden 403:CSRF verification failed; aborted

Talk about internet security, computer security, personal security, your social security number...
Post Reply
User avatar
IMB4U
Junior Member
Posts: 30
Joined: Wed Jul 15, 2009 11:08 pm
Location: USA

Forbidden 403:CSRF verification failed; aborted

Post by IMB4U » Mon Sep 20, 2010 3:11 pm

Hello...

I'm trying to submit a review on one of the Mozilla Firefox Add-ons pages, and this is the Mozilla add-on page which has the add-on I want to give a review about:
https://addons.mozilla.org/en-US/firefox/addon/12766/
The add-on is called "CookieKiller".
(a) I then perform my login with name/password, and all is just fine.
(b) I click on the "Review" button in order to make my comments, and I get taken to a different web page for making comments, and all is still just fine.
(c) After typing my review comments, when I click on the "submit" button...I get redirected to a page that displays a CSRF notification. I've tried several times but get the same response.
(d) The CSRF notification page states the following:
Forbidden (403)
CSRF verification failed. Request aborted.
More information is available with DEBUG=True.


I don't remember ever seeing this type of warning before. I decided to do an "about:config" and typed the word "debug", and I found 4 items listed:
PREFERENCE NAME..................STATUS.....TYPE.......VALUE
(1) browser.formfill.debug.........default......boolean...false
(2) noscript.clearClick.debug......default......boolean...false
(3) noscript.surrogate.debug......default......boolean...false
(4) signon.debug.....................default......boolean...false


I don't know anything about "debugging", but if I was forced to make a guess, I'd guess that the "browser.formfill.debug" listing might need to be changed to "true". BUT I sure don't know! :oops: AND I would never simply change it without finding out a responsible answer first! ;) After all, that may not have anything at all to do with the problem. :oops:

I've looked at the NoScript webpage for help and I've looked at my NoScript icon data. I've read about XSS (cross site scripting), but I still don't much about this. I see that CSRF means "cross site request forgery", and I just read that usually this can be caused from developer errors, but this also can be dangerous.

Can someone please explain whether or not I personally should be doing something to fix this problem? :roll:
Windows 8, Professional, 64-bit/4 GB Ram/Pale Moon 25.5/ NoScript, Adblock Plus, Better Privacy; Super-Antispyware (free), Malwarebytes Anti-Malware (free), Spyware Blaster (free), WinPatrol (free)
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.10) Gecko/20100914 Firefox/3.6.10

User avatar
therube
Ambassador
Posts: 7528
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: Forbidden 403:CSRF verification failed; aborted

Post by therube » Mon Sep 20, 2010 7:21 pm

I dont' know if it is the issue, but under Options | Advanced -> XSS, there are a couple of settings you can you can try.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.13) Gecko/20100914 SeaMonkey/2.0.8

User avatar
Giorgio Maone
Site Admin
Posts: 8790
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: Forbidden 403:CSRF verification failed; aborted

Post by Giorgio Maone » Mon Sep 20, 2010 8:07 pm

Are you blocking cookies from AMO?
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.2.10) Gecko/20100914 Firefox/3.6.10

User avatar
IMB4U
Junior Member
Posts: 30
Joined: Wed Jul 15, 2009 11:08 pm
Location: USA

Re: Forbidden 403:CSRF verification failed; aborted

Post by IMB4U » Wed Sep 22, 2010 3:41 am

FYI: AMO objected to a NoScript option I had checked! :roll:

@therube...
I checked the NoScript options - Advanced/XSS, and both of the following boxes are checked:
x = sanitize cross-site suspicious request
x = turn cross-site post requests into data-less GET requests

@Giorgio Maone...
Only my 3rd party cookies are kept blocked.

UPDATE:
After reading your replies, I decided to try posting in AMO, again, but it still wouldn't work. Next, I decided to see if I would receive the same results when trying to post reviews for other add-ons, so I tried two more but still with the same results - which indicated to me the problem was something "I" must have created.

I then vaguely remembered "adding a new checkmark" to the options of one of my add-ons recently (sometime within the last month or so), and decided to give NoScript a closer look. In the Options, under Advanced, I chose to begin with the first item available...which is called "Untrusted":
OPTIONS/ADVANCED/UNTRUSTED
x = Forbid "Web Bugs"


As soon as I saw "Web Bugs", I knew that was the item "I had recently added a checkmark to" (by default, it is left unchecked). I had been looking for an add-on to prevent web bugs and now I remember that when I actually noticed that option, I had felt silly that I hadn't noticed it before, and so I simply checked it. SO... :idea: ...I decided to UN-check that option and try posting a comment, again. I didn't expect to see any difference, so I simply placed the letter "a" in my review posting and quickly clicked the submit button. OOPS! This time, MY REVIEW COMMENTS GOT ACCEPTED! :mrgreen:

I was elated that I had solved the problem :D ...BUT...I was "sort of" embarrassed that I now had a review posted showing only a comment containing the letter "a" in it! :oops: I quickly tried to edit that comment and was hoping I could actually just delete it, but you can't delete your comments; only edit them. Therefore, since I had to have something written, I deleted the letter "a", and replaced it with the following comment:
by IMB4U on September 21, 2010 #
SORRY! I'm having trouble posting...will try again later.

I guess I need to go back and make my "official" comment now that I've got an "unofficial" one already posted! :P

Ok, so my problem of not being able to post a comment has been resolved...BUT...
I'm left without understanding why the Mozilla website is not allowing me to use the "Forbid Web Bugs"option when simply clicking on the "submit" icon for posting. Obviously, the addons.mozilla.organization (AMO) website doesn't want me to have the "forbid web bugs" option checked, but why :?: Why would they need a "web bug" to track my posting of a comment :?:

I looked up info on the NoScript website and this is what it says about forbidding web bugs in the Noscript extension:
Forbid "Web Bugs" blocks Web Bugs (tracking images) found inside <noscript> tags, used as a (less effective) fall-back to spy on user's behavior when scripts are not available.

QUESTION: Should I simply never use the "forbid web bugs" option from now on...or...should I block them until another website happens to display the same alert as I got with AMO?:
Forbidden (403)
CSRF verification failed. Request aborted.
More information is available with DEBUG=True.


I ask this because if I should ever run into this issue again and also happen to have the "Forbid Web Bugs" option checked, I don't know how safe I would feel in unchecking the option as I ended up needing to do for AMO. :roll:
Windows 8, Professional, 64-bit/4 GB Ram/Pale Moon 25.5/ NoScript, Adblock Plus, Better Privacy; Super-Antispyware (free), Malwarebytes Anti-Malware (free), Spyware Blaster (free), WinPatrol (free)
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.10) Gecko/20100914 Firefox/3.6.10

cocoapuff
Posts: 18
Joined: Mon Mar 07, 2011 10:31 am

Re: Forbidden 403:CSRF verification failed; aborted

Post by cocoapuff » Sat May 14, 2011 1:08 am

I am getting the exact same error message on Mozilla Add-ons just now. Only, in my case "Forbid web bugs" is NOT checked in NoScript.

Then I thought, maybe it's Ghostery. But the Ghostery icon stays gray (i.e., "no trackers detected") and even when I specifically whitelist addons.mozilla.org in Ghostery, the same error message appears.

Hmm... maybe it's nothing to do with either NoScript or Ghostery.
Mozilla/5.0 (Windows; U; Windows NT 6.1; de; rv:1.9.2.17) Gecko/20110420 Firefox/3.6.17

User avatar
Giorgio Maone
Site Admin
Posts: 8790
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: Forbidden 403:CSRF verification failed; aborted

Post by Giorgio Maone » Sat May 14, 2011 10:25 am

This may happen fundamentally for 3 reasons:
  1. You're blocking cookies
  2. You're hiding your referrer header (e.g. with the RefControl add-on)
  3. There's a server error on AMO (less likely)
Mozilla/5.0 (Windows NT 5.2; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1

cocoapuff
Posts: 18
Joined: Mon Mar 07, 2011 10:31 am

Re: Forbidden 403:CSRF verification failed; aborted

Post by cocoapuff » Mon May 16, 2011 4:44 am

It happened again just now. Forgot to mention, it happens only when I try to post a review on an add-on. I can view all pages on the Mozilla Add-Ons site without problems, and I can log in with my MAO user account, so I'm not banned.

Also, I am not blocking cookies (except third-party) and I do not alter the User Agent string* nor am I hiding the referrer (do not have an extension that does that).

* Edit: I just realized that is not quite right: my Search Engine Security extension does alter the UA string but I don't know if it matters.
Mozilla/5.0 (Windows; U; Windows NT 6.1; de; rv:1.9.2.17) Gecko/20110420 Firefox/3.6.17

cocoapuff
Posts: 18
Joined: Mon Mar 07, 2011 10:31 am

Re: Forbidden 403:CSRF verification failed; aborted

Post by cocoapuff » Tue May 17, 2011 3:26 am

Well, it's apparently another extension that interferes. I just went there again but this time using another Firefox profile (this one has the Torbutton extension), again with NoScript allowing the page, and I was able to leave a comment on the add-on.

So, not a NoScript problem. Perhaps a rangeblock of IPs to prevent comment spam.
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3

Post Reply