Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Why can't a malicious site obtain a CSRF token via GET before attacking?

Tags:

browser

ajax

security

csrf

csrf-protection

If I understand correctly, in a CSRF attack a malicious website A tells my browser to send a request to site B. My browser will automatically include my B cookies in that request. Although A cannot see those cookies, if I'm already authenticated in B the request will look legit, and whatever action was asked will be successfully performed. To avoid this, every time that I visit a page of B containing a form, I receive a CSRF token. This token is associated to my session, so if I make a POST to B I MUST include such token; otherwise B rejects my request. The benefit of this scheme is that A will not have access to that token.

I have two questions:

  • Is the above description correct?
  • If so, why can't site A first tell my browser to send a GET to B, obtain the CSRF token from the response, and then use the token to send now a POST to B? Notice that the token will be valid and associated to my session, as the GET also contains all my B cookies.

Thanks!

like image 391
thelastone Avatar asked Nov 28 '16 09:11

thelastone

People also ask

What is required for a CSRF attack to take place?

The attack will only be successful if the user is in an active session with the vulnerable application. An attacker must find a valid URL to maliciously craft. The URL needs to have a state-changing effect on the target application. An attacker also needs to find the right values for the URL parameters.

Why is CSRF difficult to detect?

"CSRF attacks are also very difficult to detect, because they look very much like a legitimate request from a trusted user." OWASP currently ranks CSRF attacks as the number eight most common and critical Web application vulnerability, down from the five spot since the last list was compiled.

Is CSRF token necessary for GET request?

CSRF tokens prevent CSRF because without token, attacker cannot create a valid requests to the backend server. CSRF tokens should not be transmitted using cookies. The CSRF token can be added through hidden fields, headers, and can be used with forms, and AJAX calls.

2 Answers

Your description is correct.

If site A tells your browser to go to B and get the token, that's fine, but as it is a cross-domain request, A will not have access to the token in Javascript (this is a browser feature). So when A tells your browser to go back to B and actually do something, it still cannot include the token in the request.

That is, unless B set the token as a cookie. Evidently, that would be flawed, because the token cookie would also be sent, thus negating any protection. So the token in this case must be sent as either a form value or a request header (or something else that is not sent automatically like a cookie).

This also means that if B is vulnerable to cross-site scripting, it is also vulnerable to CSRF, because the token can then be stolen, but CSRF is the smaller problem then. :)

like image 110
Gabor Lengyel Avatar answered Oct 25 '22 13:10

Gabor Lengyel

Correct.

Site A can't get site B's csrf token because of the browser's CORS strategy.

And we need to validate the request's referer(It can be forged). https://en.wikipedia.org/wiki/HTTP_referer

It is also a good practice to validate the crsf token in url(AKA query string).

FYI,Laravel, a popular web framework, uses a hidden CSRF token field in the form to prevent csrf attack.

like image 32
solarhell Avatar answered Oct 25 '22 11:10

solarhell
Sign in to Comment

Related questions

Download PDF file With FTP using XMLHttpRequest and generic handler
Update element with ajax don't affect until for loop end
Uncaught Error: Class 'WP_Query' not found in url - Wordpress
Can't get value from Summernote textarea using Javascript AJAX send post data
Ajax success response and select option append
Dynamic shipping fee based on custom radio buttons in Woocommerce
Login and register via ajax is secure or not?
Cross-Origin Read Blocking (CORB) when get data from Directions API using axios with Nuxt js
Access to key value of returned array from the ajax response
What is the difference between ajax post request and form post request?
In laravel blade page saying $.ajax is not a function
How to do AsyncPostBackTrigger for the LinkButton in the Repeater
How to parse JSONP data returned from remote server
XMLHttpRequest POST multipart/form-data
Reload the page after ajax success
How to handle model state errors in ajax-invoked controller action that returns a PartialView
Parsing returned HTML from jQuery AJAX request
Sending Chunked HTTP request from Javascript
Why is this jQuery ajax click event firing multiple times?
Trying to figure out Ruby on Rails remote: true callbacks

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!