Getting Data In

Custom API endpoint returning CSRF error on post?

zackurben
Engager

Hello, I am trying to get a custom API endpoint to work, but I am getting CSRF errors when posting any data to it:

401 (Splunk cannot authenticate the request. CSRF validation failed.)

My endpoint looks like this (my_app/bin/test.py):

#!/usr/bin/python

import os
import csv
import splunk

class Echo(splunk.rest.BaseRestHandler):
   def handle_GET(self):
       self.response.setStatus(200)
       self.response.write('session: ' + self.sessionKey + '\n')

       for key, value in self.request["headers"].iteritems():
           self.response.write(key + ': ' + value + '\n')

   handle_POST = handle_GET

Splunk restmap.conf (my_app/default/restmap.conf):

[script:echo]
match=/echo
handler=test.Echo

Splunk web.conf (my_app/default/web.conf):

[expose:echo]
pattern=echo
methods=GET,POST

I've tried communicating with the API two different ways:

Over port 8000 (POST not working)
alt text

Over port 8089 (POST and GET working)
alt text

My log (/opt/splunk/var/log/splunk/splunkd.log) keeps saying this: ERROR UiAuth - Request from xxx.xxx.xxx.xxx to "/en-US/splunkd/__raw/services/echo" failed CSRF validation -- expected "5038769918656995927", but instead cookie had "5038769918656995927" and form parameter had ""

What I've tried:

  1. Adding skipCSRFProtection=1 to the endpoints config in web.conf (documented feature) but it seems to have zero effect.
  2. Cleared my cookies for the domain, as detailed in this splunk answers question: answers.splunk.com/answers/581168/splunk-cannot-authenticate-the-request-csrf-valida.html
  3. Tried manually adding X-Splunk-Form-Key as a header, as suggested by this splunk answers question: answers.splunk.com/answers/661095/post-to-splunkd-raw-endpoint-returns-csrf-validati.html

It feels like the session cookies are not being transmitted properly, but that doesn't seem correct, given the headers received in the GET request example attached.

What I need:

I need to be able to communicate with the web API (authenticated) on port 8000 for GET and POST requests. I am trying to make requests in my custom dashboard:

const service = mvc.createService({
  owner: 'username here'
});

service.post(
  '/services/echo',
  JSON.stringify({ my: data }),
  function(err, response) {
    // what ever
  }
);

Other Info:

I'm running splunk in docker, using the 7.1.2 tag.

Labels (1)
1 Solution

sylim_splunk
Splunk Employee
Splunk Employee

You may need to use, curl with options, like '-L' and headers, X-Splunk-Form-Key and X-Requested-With: XMLHttpRequest..
Here's the article for it, https://docs.splunk.com/Documentation/StreamApp/7.1.3/DeployStreamApp/SplunkAppforStreamRESTAPI

$ curl -Lk -u admin http://localhost:8000/en-GB/splunkd/__raw/services/myRESTCall -H 'Cookie: splunkd_8000=QHASm07YxvF4C8642PFHMRAS0PxRXLie7THbp261otk3pTmWJ2QVn4twqheZM^3_KZ6DDPzenJYszELi8VwvJPrKyJrK_hM75x45XjuzknW1Y7CGH6J4Kp6wakjj9MNAWF; splunkweb_csrf_token_8000=5089449155758749034; session_id_8000=b970b2c4c0b38eb917d980c5b6384f5152a8ad72; login=; splunkweb_uid=' -H 'X-Splunk-Form-Key: 5089449155758749034' -H 'X-Requested-With: XMLHttpRequest' -X POST
Enter host password for user 'admin':

session: PIPsP72nJ7Ha4Z_KEypI4TKtkSiIUQqlqkYmLYVp6PweuwSMRUF0hgHxPx8p_L1GDQQ7UpyU2t8Tk9QQm9fjDrAIIIEioNl5nquFPB1NYwD4Pn9MKWBmBpUwJ12kdxVMksZGfOxkqQ0
host: 127.0.0.1:8089
cookie: splunkd_8000=QHASm07YxvF4C8642PFHMRAS0PxRXLie7THbp261otk3pTmWJ2QVn4twqheZM^3_KZ6DDPzenJYszELi8VwvJPrKyJrK_hM75x45XjuzknW1Y7CGH6J4Kp6wakjj9MNAWF; splunkweb_csrf_token_8000=5089449155758749034; session_id_8000=b970b2c4c0b38eb917d980c5b6384f5152a8ad72; login=; splunkweb_uid=
x-requested-with: XMLHttpRequest
user-agent: curl/7.54.0
authorization: Basic YWRtaW46V2VsY29tZTA=
accept: */

x-splunk-form-key: 5089449155758749034*

Please make sure to include those headers for your testing.
alt text

View solution in original post

sylim_splunk
Splunk Employee
Splunk Employee

You may need to use, curl with options, like '-L' and headers, X-Splunk-Form-Key and X-Requested-With: XMLHttpRequest..
Here's the article for it, https://docs.splunk.com/Documentation/StreamApp/7.1.3/DeployStreamApp/SplunkAppforStreamRESTAPI

$ curl -Lk -u admin http://localhost:8000/en-GB/splunkd/__raw/services/myRESTCall -H 'Cookie: splunkd_8000=QHASm07YxvF4C8642PFHMRAS0PxRXLie7THbp261otk3pTmWJ2QVn4twqheZM^3_KZ6DDPzenJYszELi8VwvJPrKyJrK_hM75x45XjuzknW1Y7CGH6J4Kp6wakjj9MNAWF; splunkweb_csrf_token_8000=5089449155758749034; session_id_8000=b970b2c4c0b38eb917d980c5b6384f5152a8ad72; login=; splunkweb_uid=' -H 'X-Splunk-Form-Key: 5089449155758749034' -H 'X-Requested-With: XMLHttpRequest' -X POST
Enter host password for user 'admin':

session: PIPsP72nJ7Ha4Z_KEypI4TKtkSiIUQqlqkYmLYVp6PweuwSMRUF0hgHxPx8p_L1GDQQ7UpyU2t8Tk9QQm9fjDrAIIIEioNl5nquFPB1NYwD4Pn9MKWBmBpUwJ12kdxVMksZGfOxkqQ0
host: 127.0.0.1:8089
cookie: splunkd_8000=QHASm07YxvF4C8642PFHMRAS0PxRXLie7THbp261otk3pTmWJ2QVn4twqheZM^3_KZ6DDPzenJYszELi8VwvJPrKyJrK_hM75x45XjuzknW1Y7CGH6J4Kp6wakjj9MNAWF; splunkweb_csrf_token_8000=5089449155758749034; session_id_8000=b970b2c4c0b38eb917d980c5b6384f5152a8ad72; login=; splunkweb_uid=
x-requested-with: XMLHttpRequest
user-agent: curl/7.54.0
authorization: Basic YWRtaW46V2VsY29tZTA=
accept: */

x-splunk-form-key: 5089449155758749034*

Please make sure to include those headers for your testing.
alt text

eliav2
Explorer

Could you please farther explain? I looked at the browser devtools and it seems that the csrf token is already added. Why is this happening only on post requests and not on get requests?

 

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...