Getting Data In

Custom API endpoint returning CSRF error on post?

zackurben
Engager

Hello, I am trying to get a custom API endpoint to work, but I am getting CSRF errors when posting any data to it:

401 (Splunk cannot authenticate the request. CSRF validation failed.)

My endpoint looks like this (my_app/bin/test.py):

#!/usr/bin/python

import os
import csv
import splunk

class Echo(splunk.rest.BaseRestHandler):
   def handle_GET(self):
       self.response.setStatus(200)
       self.response.write('session: ' + self.sessionKey + '\n')

       for key, value in self.request["headers"].iteritems():
           self.response.write(key + ': ' + value + '\n')

   handle_POST = handle_GET

Splunk restmap.conf (my_app/default/restmap.conf):

[script:echo]
match=/echo
handler=test.Echo

Splunk web.conf (my_app/default/web.conf):

[expose:echo]
pattern=echo
methods=GET,POST

I've tried communicating with the API two different ways:

Over port 8000 (POST not working)
alt text

Over port 8089 (POST and GET working)
alt text

My log (/opt/splunk/var/log/splunk/splunkd.log) keeps saying this: ERROR UiAuth - Request from xxx.xxx.xxx.xxx to "/en-US/splunkd/__raw/services/echo" failed CSRF validation -- expected "5038769918656995927", but instead cookie had "5038769918656995927" and form parameter had ""

What I've tried:

  1. Adding skipCSRFProtection=1 to the endpoints config in web.conf (documented feature) but it seems to have zero effect.
  2. Cleared my cookies for the domain, as detailed in this splunk answers question: answers.splunk.com/answers/581168/splunk-cannot-authenticate-the-request-csrf-valida.html
  3. Tried manually adding X-Splunk-Form-Key as a header, as suggested by this splunk answers question: answers.splunk.com/answers/661095/post-to-splunkd-raw-endpoint-returns-csrf-validati.html

It feels like the session cookies are not being transmitted properly, but that doesn't seem correct, given the headers received in the GET request example attached.

What I need:

I need to be able to communicate with the web API (authenticated) on port 8000 for GET and POST requests. I am trying to make requests in my custom dashboard:

const service = mvc.createService({
  owner: 'username here'
});

service.post(
  '/services/echo',
  JSON.stringify({ my: data }),
  function(err, response) {
    // what ever
  }
);

Other Info:

I'm running splunk in docker, using the 7.1.2 tag.

Labels (1)
1 Solution

sylim_splunk
Splunk Employee
Splunk Employee

You may need to use, curl with options, like '-L' and headers, X-Splunk-Form-Key and X-Requested-With: XMLHttpRequest..
Here's the article for it, https://docs.splunk.com/Documentation/StreamApp/7.1.3/DeployStreamApp/SplunkAppforStreamRESTAPI

$ curl -Lk -u admin http://localhost:8000/en-GB/splunkd/__raw/services/myRESTCall -H 'Cookie: splunkd_8000=QHASm07YxvF4C8642PFHMRAS0PxRXLie7THbp261otk3pTmWJ2QVn4twqheZM^3_KZ6DDPzenJYszELi8VwvJPrKyJrK_hM75x45XjuzknW1Y7CGH6J4Kp6wakjj9MNAWF; splunkweb_csrf_token_8000=5089449155758749034; session_id_8000=b970b2c4c0b38eb917d980c5b6384f5152a8ad72; login=; splunkweb_uid=' -H 'X-Splunk-Form-Key: 5089449155758749034' -H 'X-Requested-With: XMLHttpRequest' -X POST
Enter host password for user 'admin':

session: PIPsP72nJ7Ha4Z_KEypI4TKtkSiIUQqlqkYmLYVp6PweuwSMRUF0hgHxPx8p_L1GDQQ7UpyU2t8Tk9QQm9fjDrAIIIEioNl5nquFPB1NYwD4Pn9MKWBmBpUwJ12kdxVMksZGfOxkqQ0
host: 127.0.0.1:8089
cookie: splunkd_8000=QHASm07YxvF4C8642PFHMRAS0PxRXLie7THbp261otk3pTmWJ2QVn4twqheZM^3_KZ6DDPzenJYszELi8VwvJPrKyJrK_hM75x45XjuzknW1Y7CGH6J4Kp6wakjj9MNAWF; splunkweb_csrf_token_8000=5089449155758749034; session_id_8000=b970b2c4c0b38eb917d980c5b6384f5152a8ad72; login=; splunkweb_uid=
x-requested-with: XMLHttpRequest
user-agent: curl/7.54.0
authorization: Basic YWRtaW46V2VsY29tZTA=
accept: */

x-splunk-form-key: 5089449155758749034*

Please make sure to include those headers for your testing.
alt text

View solution in original post

sylim_splunk
Splunk Employee
Splunk Employee

You may need to use, curl with options, like '-L' and headers, X-Splunk-Form-Key and X-Requested-With: XMLHttpRequest..
Here's the article for it, https://docs.splunk.com/Documentation/StreamApp/7.1.3/DeployStreamApp/SplunkAppforStreamRESTAPI

$ curl -Lk -u admin http://localhost:8000/en-GB/splunkd/__raw/services/myRESTCall -H 'Cookie: splunkd_8000=QHASm07YxvF4C8642PFHMRAS0PxRXLie7THbp261otk3pTmWJ2QVn4twqheZM^3_KZ6DDPzenJYszELi8VwvJPrKyJrK_hM75x45XjuzknW1Y7CGH6J4Kp6wakjj9MNAWF; splunkweb_csrf_token_8000=5089449155758749034; session_id_8000=b970b2c4c0b38eb917d980c5b6384f5152a8ad72; login=; splunkweb_uid=' -H 'X-Splunk-Form-Key: 5089449155758749034' -H 'X-Requested-With: XMLHttpRequest' -X POST
Enter host password for user 'admin':

session: PIPsP72nJ7Ha4Z_KEypI4TKtkSiIUQqlqkYmLYVp6PweuwSMRUF0hgHxPx8p_L1GDQQ7UpyU2t8Tk9QQm9fjDrAIIIEioNl5nquFPB1NYwD4Pn9MKWBmBpUwJ12kdxVMksZGfOxkqQ0
host: 127.0.0.1:8089
cookie: splunkd_8000=QHASm07YxvF4C8642PFHMRAS0PxRXLie7THbp261otk3pTmWJ2QVn4twqheZM^3_KZ6DDPzenJYszELi8VwvJPrKyJrK_hM75x45XjuzknW1Y7CGH6J4Kp6wakjj9MNAWF; splunkweb_csrf_token_8000=5089449155758749034; session_id_8000=b970b2c4c0b38eb917d980c5b6384f5152a8ad72; login=; splunkweb_uid=
x-requested-with: XMLHttpRequest
user-agent: curl/7.54.0
authorization: Basic YWRtaW46V2VsY29tZTA=
accept: */

x-splunk-form-key: 5089449155758749034*

Please make sure to include those headers for your testing.
alt text

eliav2
Explorer

Could you please farther explain? I looked at the browser devtools and it seems that the csrf token is already added. Why is this happening only on post requests and not on get requests?

 

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...