Menu
There are quite a lot written about preventing CSRF.
But I just don't get it: why I can't just parse the csrf token in the target page form and submit it with my forge request?
388
If you are able to inject script code into the target page (XSS) then yes, you can do that thus rendering the CSRF prevention useless.
The CSRF token has to be stored in the page the end-user receives (or he won't know it either).
In fact, in security assessments, XSS usually evaluated not for its own damage potential but for its use in just such attacks.
168
CSRF attacks are blind. They do session riding and the attacker has no direct control unless he can extract the token via an XSS vulnerability. Normally a session wide token can be used. Rotating tokens per request might be an overkill and could lead to false alarms. I prefer to use tokens per resource with a master session token.
30
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
