0
0
Jenkinsdevops~10 mins

CSRF protection in Jenkins - Step-by-Step Execution

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Process Flow - CSRF protection
User sends request
Check CSRF token in request?
NoReject request
Yes
Validate token matches server token?
NoReject request
Yes
Process request
Send response
The server checks if the request has a CSRF token and if it matches the expected token before processing the request.
Execution Sample
Jenkins
curl -X POST \
  -H "Jenkins-Crumb: abc123" \
  http://jenkins.example.com/job/test/build
This command sends a POST request to trigger a Jenkins job with a CSRF token in the header.
Process Table
StepActionCSRF Token Present?Token Valid?Result
1Receive POST requestYesCheck token valueProceed to validation
2Validate tokenYesMatches server tokenRequest accepted
3Process job buildYesMatches server tokenJob triggered
4Send responseYesMatches server tokenSuccess response sent
5Receive POST request without tokenNoN/ARequest rejected
6Receive POST request with wrong tokenYesDoes not matchRequest rejected
💡 Requests without a valid CSRF token are rejected to protect Jenkins from CSRF attacks.
Status Tracker
VariableStartAfter Step 1After Step 2After Step 3Final
CSRF Token in RequestNoneabc123abc123abc123abc123
Server Expected Tokenabc123abc123abc123abc123abc123
Request StatusPendingPendingValidatedProcessedCompleted
Key Moments - 3 Insights
Why does Jenkins reject a POST request without a CSRF token?
Because the execution_table row 5 shows that when the token is missing, Jenkins rejects the request to prevent unauthorized actions.
What happens if the CSRF token does not match the server's token?
As shown in execution_table row 6, Jenkins rejects the request to protect against forged requests.
Why is the CSRF token included in the request header?
Including the token in the header allows Jenkins to verify the request is legitimate before processing, as seen in steps 1 and 2 of the execution_table.
Visual Quiz - 3 Questions
Test your understanding
Look at the execution_table, at which step is the CSRF token first checked?
AStep 5
BStep 3
CStep 1
DStep 6
💡 Hint
Check the 'CSRF Token Present?' column in the execution_table rows.
According to variable_tracker, what is the value of 'Request Status' after step 2?
AValidated
BPending
CProcessed
DCompleted
💡 Hint
Look at the 'Request Status' row under 'After Step 2' in variable_tracker.
If the CSRF token in the request was 'wrongtoken', what would happen according to the execution_table?
ARequest accepted
BRequest rejected
CRequest processed anyway
DRequest ignored silently
💡 Hint
See row 6 in the execution_table where token does not match.
Concept Snapshot
CSRF protection in Jenkins:
- Jenkins requires a CSRF token (crumb) in POST requests.
- Token is sent in header 'Jenkins-Crumb'.
- Server validates token matches expected value.
- Requests without valid token are rejected.
- This prevents unauthorized commands from external sites.
Full Transcript
CSRF protection in Jenkins works by requiring a special token called a crumb in POST requests. When Jenkins receives a request, it first checks if the CSRF token is present. If missing, Jenkins rejects the request immediately. If present, Jenkins compares the token with the expected server token. If they match, the request is accepted and processed, such as triggering a job build. If the token does not match, Jenkins rejects the request to prevent unauthorized actions. This mechanism protects Jenkins from cross-site request forgery attacks by ensuring only legitimate requests with valid tokens are processed.