I've been implementing ASP ARF tokens in my MVC3 web application and read into the workings of the CSRF exploit and how ARF tokens defend against it. Now I was wondering if 'hackers' couldn't bypass the ARF check by using an extra step. The normal CSRF scenario is like:
Because of our ARF token, the BankingSite knows to ignore the POST coming from site HackerSite. Because it's missing the right AFR token. Could anyone tell me why the hacker couldn't just get the token by doing a GET request first on the BankingSite? Like this:
Does anyone know what I'm missing here, and how ARF is secured against such an attack?
Attacker doesn't know cookies of victim. Token generating based on it. If your site has another XSS's holes, this method can't help from CSRF vulnerability.
If you send AJAX referer header would be HackerSite, not BankSite. So you haven't access to closed part of site (can't access to CSRF Token). It's Http-Only so you can't just take it by javascript. Your plan will fail on part when you want to send get request to victim site.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With