Monitoring Splunk

POST to /splunkd/__raw endpoint returns CSRF validation failed

louisjannett
Engager

Hello,

I have a confusing issue with the Splunk endpoint POST method execution. Every time I'm trying to send a GET request to my custom endpoint, everything works as expected. But when I am sending a POST request with the identical parameters and Cookies, the API returns a 401 status code and says: "Splunk cannot authenticate the request. CSRF validation failed.". I have no clue why this happens because the CSRF Token in the request is still the same token as the token in the GET request. Moreover the response of the GET request returns the identical CSRF cookie which is afterwards used again by the POST method.

Using the API over the management port on 8089 works perfectly fine with GET and POST requests. This happens just with the /splunkd/__raw webservice endpoint.

Does anyone have an idea about what is causing this error?
Thanks in advance!

Request:

POST /en-GB/splunkd/__raw/services/test_endpoint HTTP/1.1
Host: localhost:8000
Content-Length: 10
Origin: http://localhost:8000
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36
Content-Type: text/plain;charset=UTF-8
Accept: */*
Referer: http://localhost:8000/en-GB/splunkd/__raw/services/test_endpoint?payload=Hello
Accept-Encoding: gzip, deflate
Accept-Language: de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: splunkweb_csrf_token_8000=XXX; session_id_8000=XXX; token_key=XXX; experience_id=XXX; splunkd_8000=XXX
Connection: close

Hello POST

Response:

HTTP/1.1 401 Splunk cannot authenticate the request. CSRF validation failed.
Date: Fri, 25 May 2018 07:02:13 GMT
Content-Type: text/xml; charset=UTF-8
X-Content-Type-Options: nosniff
Content-Length: 181
Vary: Cookie
Connection: Close
X-Frame-Options: SAMEORIGIN
Server: Splunkd

<?xml version="1.0" encoding="UTF-8"?>
<response>
  <messages>
    <msg type="ERROR">Splunk cannot authenticate the request. CSRF validation failed.</msg>
  </messages>
</response>

sjodle
Path Finder

When logged into the Splunk Web GUI, Splunk sets a cookie called token_key.

When POSTing, PATCHing, DELETEing, etc. to a custom endpoint, you need to pass this token back by including the following headers in your request:

X-Requested-With = XMLHttpRequest
X-Splunk-Form-Key = <the value of the token_key cookie>

This isn't documented anywhere, as far as I could tell.

badarsebard
Communicator

Thank you so much this was driving me crazy!

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...