Getting Data In

Custom API endpoint returning CSRF error on post

zackurben
Engager

Hello, I am trying to get a custom API endpoint to work, but I am getting CSRF errors when posting any data to it:

401 (Splunk cannot authenticate the request. CSRF validation failed.)

My endpoint looks like this (my_app/bin/test.py):

#!/usr/bin/python

import os
import csv
import splunk

class Echo(splunk.rest.BaseRestHandler):
   def handle_GET(self):
       self.response.setStatus(200)
       self.response.write('session: ' + self.sessionKey + '\n')

       for key, value in self.request["headers"].iteritems():
           self.response.write(key + ': ' + value + '\n')

   handle_POST = handle_GET

Splunk restmap.conf (my_app/default/restmap.conf):

[script:echo]
match=/echo
handler=test.Echo

Splunk web.conf (my_app/default/web.conf):

[expose:echo]
pattern=echo
methods=GET,POST

I've tried communicating with the API two different ways:

Over port 8000 (POST not working)
alt text

Over port 8089 (POST and GET working)
alt text

My log (/opt/splunk/var/log/splunk/splunkd.log) keeps saying this: ERROR UiAuth - Request from xxx.xxx.xxx.xxx to "/en-US/splunkd/__raw/services/echo" failed CSRF validation -- expected "5038769918656995927", but instead cookie had "5038769918656995927" and form parameter had ""

What I've tried:

  1. Adding skipCSRFProtection=1 to the endpoints config in web.conf (documented feature) but it seems to have zero effect.
  2. Cleared my cookies for the domain, as detailed in this splunk answers question: answers.splunk.com/answers/581168/splunk-cannot-authenticate-the-request-csrf-valida.html
  3. Tried manually adding X-Splunk-Form-Key as a header, as suggested by this splunk answers question: answers.splunk.com/answers/661095/post-to-splunkd-raw-endpoint-returns-csrf-validati.html

It feels like the session cookies are not being transmitted properly, but that doesn't seem correct, given the headers received in the GET request example attached.

What I need:

I need to be able to communicate with the web API (authenticated) on port 8000 for GET and POST requests. I am trying to make requests in my custom dashboard:

const service = mvc.createService({
  owner: 'username here'
});

service.post(
  '/services/echo',
  JSON.stringify({ my: data }),
  function(err, response) {
    // what ever
  }
);

Other Info:

I'm running splunk in docker, using the 7.1.2 tag.

1 Solution

sylim_splunk
Splunk Employee
Splunk Employee

You may need to use, curl with options, like '-L' and headers, X-Splunk-Form-Key and X-Requested-With: XMLHttpRequest..
Here's the article for it, https://docs.splunk.com/Documentation/StreamApp/7.1.3/DeployStreamApp/SplunkAppforStreamRESTAPI

$ curl -Lk -u admin http://localhost:8000/en-GB/splunkd/__raw/services/myRESTCall -H 'Cookie: splunkd_8000=QHASm07YxvF4C8642PFHMRAS0PxRXLie7THbp261otk3pTmWJ2QVn4twqheZM^3_KZ6DDPzenJYszELi8VwvJPrKyJrK_hM75x45XjuzknW1Y7CGH6J4Kp6wakjj9MNAWF; splunkweb_csrf_token_8000=5089449155758749034; session_id_8000=b970b2c4c0b38eb917d980c5b6384f5152a8ad72; login=; splunkweb_uid=' -H 'X-Splunk-Form-Key: 5089449155758749034' -H 'X-Requested-With: XMLHttpRequest' -X POST
Enter host password for user 'admin':

session: PIPsP72nJ7Ha4Z_KEypI4TKtkSiIUQqlqkYmLYVp6PweuwSMRUF0hgHxPx8p_L1GDQQ7UpyU2t8Tk9QQm9fjDrAIIIEioNl5nquFPB1NYwD4Pn9MKWBmBpUwJ12kdxVMksZGfOxkqQ0
host: 127.0.0.1:8089
cookie: splunkd_8000=QHASm07YxvF4C8642PFHMRAS0PxRXLie7THbp261otk3pTmWJ2QVn4twqheZM^3_KZ6DDPzenJYszELi8VwvJPrKyJrK_hM75x45XjuzknW1Y7CGH6J4Kp6wakjj9MNAWF; splunkweb_csrf_token_8000=5089449155758749034; session_id_8000=b970b2c4c0b38eb917d980c5b6384f5152a8ad72; login=; splunkweb_uid=
x-requested-with: XMLHttpRequest
user-agent: curl/7.54.0
authorization: Basic YWRtaW46V2VsY29tZTA=
accept: */

x-splunk-form-key: 5089449155758749034*

Please make sure to include those headers for your testing.
alt text

View solution in original post

sylim_splunk
Splunk Employee
Splunk Employee

You may need to use, curl with options, like '-L' and headers, X-Splunk-Form-Key and X-Requested-With: XMLHttpRequest..
Here's the article for it, https://docs.splunk.com/Documentation/StreamApp/7.1.3/DeployStreamApp/SplunkAppforStreamRESTAPI

$ curl -Lk -u admin http://localhost:8000/en-GB/splunkd/__raw/services/myRESTCall -H 'Cookie: splunkd_8000=QHASm07YxvF4C8642PFHMRAS0PxRXLie7THbp261otk3pTmWJ2QVn4twqheZM^3_KZ6DDPzenJYszELi8VwvJPrKyJrK_hM75x45XjuzknW1Y7CGH6J4Kp6wakjj9MNAWF; splunkweb_csrf_token_8000=5089449155758749034; session_id_8000=b970b2c4c0b38eb917d980c5b6384f5152a8ad72; login=; splunkweb_uid=' -H 'X-Splunk-Form-Key: 5089449155758749034' -H 'X-Requested-With: XMLHttpRequest' -X POST
Enter host password for user 'admin':

session: PIPsP72nJ7Ha4Z_KEypI4TKtkSiIUQqlqkYmLYVp6PweuwSMRUF0hgHxPx8p_L1GDQQ7UpyU2t8Tk9QQm9fjDrAIIIEioNl5nquFPB1NYwD4Pn9MKWBmBpUwJ12kdxVMksZGfOxkqQ0
host: 127.0.0.1:8089
cookie: splunkd_8000=QHASm07YxvF4C8642PFHMRAS0PxRXLie7THbp261otk3pTmWJ2QVn4twqheZM^3_KZ6DDPzenJYszELi8VwvJPrKyJrK_hM75x45XjuzknW1Y7CGH6J4Kp6wakjj9MNAWF; splunkweb_csrf_token_8000=5089449155758749034; session_id_8000=b970b2c4c0b38eb917d980c5b6384f5152a8ad72; login=; splunkweb_uid=
x-requested-with: XMLHttpRequest
user-agent: curl/7.54.0
authorization: Basic YWRtaW46V2VsY29tZTA=
accept: */

x-splunk-form-key: 5089449155758749034*

Please make sure to include those headers for your testing.
alt text

View solution in original post

Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!