Getting Data In

Custom API endpoint returning CSRF error on post?

zackurben
Engager

Hello, I am trying to get a custom API endpoint to work, but I am getting CSRF errors when posting any data to it:

401 (Splunk cannot authenticate the request. CSRF validation failed.)

My endpoint looks like this (my_app/bin/test.py):

#!/usr/bin/python

import os
import csv
import splunk

class Echo(splunk.rest.BaseRestHandler):
   def handle_GET(self):
       self.response.setStatus(200)
       self.response.write('session: ' + self.sessionKey + '\n')

       for key, value in self.request["headers"].iteritems():
           self.response.write(key + ': ' + value + '\n')

   handle_POST = handle_GET

Splunk restmap.conf (my_app/default/restmap.conf):

[script:echo]
match=/echo
handler=test.Echo

Splunk web.conf (my_app/default/web.conf):

[expose:echo]
pattern=echo
methods=GET,POST

I've tried communicating with the API two different ways:

Over port 8000 (POST not working)
alt text

Over port 8089 (POST and GET working)
alt text

My log (/opt/splunk/var/log/splunk/splunkd.log) keeps saying this: ERROR UiAuth - Request from xxx.xxx.xxx.xxx to "/en-US/splunkd/__raw/services/echo" failed CSRF validation -- expected "5038769918656995927", but instead cookie had "5038769918656995927" and form parameter had ""

What I've tried:

  1. Adding skipCSRFProtection=1 to the endpoints config in web.conf (documented feature) but it seems to have zero effect.
  2. Cleared my cookies for the domain, as detailed in this splunk answers question: answers.splunk.com/answers/581168/splunk-cannot-authenticate-the-request-csrf-valida.html
  3. Tried manually adding X-Splunk-Form-Key as a header, as suggested by this splunk answers question: answers.splunk.com/answers/661095/post-to-splunkd-raw-endpoint-returns-csrf-validati.html

It feels like the session cookies are not being transmitted properly, but that doesn't seem correct, given the headers received in the GET request example attached.

What I need:

I need to be able to communicate with the web API (authenticated) on port 8000 for GET and POST requests. I am trying to make requests in my custom dashboard:

const service = mvc.createService({
  owner: 'username here'
});

service.post(
  '/services/echo',
  JSON.stringify({ my: data }),
  function(err, response) {
    // what ever
  }
);

Other Info:

I'm running splunk in docker, using the 7.1.2 tag.

Labels (1)
1 Solution

sylim_splunk
Splunk Employee
Splunk Employee

You may need to use, curl with options, like '-L' and headers, X-Splunk-Form-Key and X-Requested-With: XMLHttpRequest..
Here's the article for it, https://docs.splunk.com/Documentation/StreamApp/7.1.3/DeployStreamApp/SplunkAppforStreamRESTAPI

$ curl -Lk -u admin http://localhost:8000/en-GB/splunkd/__raw/services/myRESTCall -H 'Cookie: splunkd_8000=QHASm07YxvF4C8642PFHMRAS0PxRXLie7THbp261otk3pTmWJ2QVn4twqheZM^3_KZ6DDPzenJYszELi8VwvJPrKyJrK_hM75x45XjuzknW1Y7CGH6J4Kp6wakjj9MNAWF; splunkweb_csrf_token_8000=5089449155758749034; session_id_8000=b970b2c4c0b38eb917d980c5b6384f5152a8ad72; login=; splunkweb_uid=' -H 'X-Splunk-Form-Key: 5089449155758749034' -H 'X-Requested-With: XMLHttpRequest' -X POST
Enter host password for user 'admin':

session: PIPsP72nJ7Ha4Z_KEypI4TKtkSiIUQqlqkYmLYVp6PweuwSMRUF0hgHxPx8p_L1GDQQ7UpyU2t8Tk9QQm9fjDrAIIIEioNl5nquFPB1NYwD4Pn9MKWBmBpUwJ12kdxVMksZGfOxkqQ0
host: 127.0.0.1:8089
cookie: splunkd_8000=QHASm07YxvF4C8642PFHMRAS0PxRXLie7THbp261otk3pTmWJ2QVn4twqheZM^3_KZ6DDPzenJYszELi8VwvJPrKyJrK_hM75x45XjuzknW1Y7CGH6J4Kp6wakjj9MNAWF; splunkweb_csrf_token_8000=5089449155758749034; session_id_8000=b970b2c4c0b38eb917d980c5b6384f5152a8ad72; login=; splunkweb_uid=
x-requested-with: XMLHttpRequest
user-agent: curl/7.54.0
authorization: Basic YWRtaW46V2VsY29tZTA=
accept: */

x-splunk-form-key: 5089449155758749034*

Please make sure to include those headers for your testing.
alt text

View solution in original post

sylim_splunk
Splunk Employee
Splunk Employee

You may need to use, curl with options, like '-L' and headers, X-Splunk-Form-Key and X-Requested-With: XMLHttpRequest..
Here's the article for it, https://docs.splunk.com/Documentation/StreamApp/7.1.3/DeployStreamApp/SplunkAppforStreamRESTAPI

$ curl -Lk -u admin http://localhost:8000/en-GB/splunkd/__raw/services/myRESTCall -H 'Cookie: splunkd_8000=QHASm07YxvF4C8642PFHMRAS0PxRXLie7THbp261otk3pTmWJ2QVn4twqheZM^3_KZ6DDPzenJYszELi8VwvJPrKyJrK_hM75x45XjuzknW1Y7CGH6J4Kp6wakjj9MNAWF; splunkweb_csrf_token_8000=5089449155758749034; session_id_8000=b970b2c4c0b38eb917d980c5b6384f5152a8ad72; login=; splunkweb_uid=' -H 'X-Splunk-Form-Key: 5089449155758749034' -H 'X-Requested-With: XMLHttpRequest' -X POST
Enter host password for user 'admin':

session: PIPsP72nJ7Ha4Z_KEypI4TKtkSiIUQqlqkYmLYVp6PweuwSMRUF0hgHxPx8p_L1GDQQ7UpyU2t8Tk9QQm9fjDrAIIIEioNl5nquFPB1NYwD4Pn9MKWBmBpUwJ12kdxVMksZGfOxkqQ0
host: 127.0.0.1:8089
cookie: splunkd_8000=QHASm07YxvF4C8642PFHMRAS0PxRXLie7THbp261otk3pTmWJ2QVn4twqheZM^3_KZ6DDPzenJYszELi8VwvJPrKyJrK_hM75x45XjuzknW1Y7CGH6J4Kp6wakjj9MNAWF; splunkweb_csrf_token_8000=5089449155758749034; session_id_8000=b970b2c4c0b38eb917d980c5b6384f5152a8ad72; login=; splunkweb_uid=
x-requested-with: XMLHttpRequest
user-agent: curl/7.54.0
authorization: Basic YWRtaW46V2VsY29tZTA=
accept: */

x-splunk-form-key: 5089449155758749034*

Please make sure to include those headers for your testing.
alt text

eliav2
Explorer

Could you please farther explain? I looked at the browser devtools and it seems that the csrf token is already added. Why is this happening only on post requests and not on get requests?

 

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...