Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to does the token prevent csrf attack?

Tags:

javascript

security

csrf

csrf-protection

I have read about CSRF and how the Unpredictable Synchronizer Token Pattern is used to prevent it. I didn't quite understand how it works.

Let's take this scenario :

A user is logged into a site with this form:

<form action="changePassword" method="POST">    <input type="text" name="password"><br>    <input type="hidden" name="token" value='asdjkldssdk22332nkadjf' > </form>

The server also stores the token in the session. When the request is sent it compares the token in the form data to the token in the session.

How does that prevent CSRF when the hacker can write JavaScript code that will:

  1. Send a GET request to the site
  2. Receive html text containing the request form.
  3. Search the html text for the CSRF token.
  4. Make the malicious request using that token.

Am missing something?

like image 276
david Avatar asked Jul 09 '15 16:07

david

People also ask

How does CSRF token prevent CSRF?

CSRF tokens can prevent CSRF attacks by making it impossible for an attacker to construct a fully valid HTTP request suitable for feeding to a victim user.

How can CSRF attacks be prevented?

What Are CSRF Tokens. The most popular method to prevent Cross-site Request Forgery is to use a challenge token that is associated with a particular user and that is sent as a hidden value in every state-changing form in the web app.

How does CSRF token work?

A CSRF token is a secure random token (e.g., synchronizer token or challenge token) that is used to prevent CSRF attacks. The token needs to be unique per user session and should be of large random value to make it difficult to guess. A CSRF secure application assigns a unique CSRF token for every user session.

How do I know if my CSRF token is working?

A couple of ways you can test it: Open the developer tools in your browser find the input element for the CSRF token and edit the token value. Trigger a POST submission. This should cause an error, HTTP status 403 typically.

1 Answers

The attacker can't use JavaScript to read the token from the site, because it would be a cross-origin request and access to the data from it is blocked (by default) by the Same Origin Policy (MDN, W3C).

Take this for example:

var xhr = new XMLHttpRequest();  xhr.open("GET", "http://google.com");  xhr.addEventListener('load', function (ev) {      console.log(this.responseText);    });  xhr.send();

The JS console reports:

XMLHttpRequest cannot load http://google.com/. No 'Access-Control-Allow-Origin' header is present on the requested resource.

like image 134
Quentin Avatar answered Oct 04 '22 04:10

Quentin
Sign in to Comment

Related questions

React-native app is being restarted on every navigation when integrated with native app
Memory Leak with socket.io + node.js
Open new window without focus on it [duplicate]
Instances referenced by 'bound_this' only are not garbage collected
How to make a pattern "fixed" in Raphael.js / IE?
Facebook conversion event callback
How can I implement a FPS view with WebGL inside a browser?
Is there any "on DOM change" event? [duplicate]
How to enable one button inside a disabled fieldset
Can I open the OS native emoji picker in a web page?
Django and client-side javascript templates
MediaSource error: This SourceBuffer has been removed from the parent media source
webstorm: what does "Element is not exported" warning mean?
Can script.readyState be trusted to detect the end of dynamic script loading?
Bundling and minifying modular JavaScript (RequireJS / AMD) with ASP.NET MVC
Download in browser with ajax request
Can you detect whether a device has phone capabilities (e.g. it can make voice calls/SMS) with JavaScript?
Create individual SPA bundles with Webpack
How can I load a shared web worker with a user-script?
Mocking and Stubbing with protractor

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!