user269334
Reputation: 569
Are csrf-tokens effective even when I can do this?
I've been playing around with chrome's console.
I found that I can access the textual version of my source code through:
document.scripts[2].outerText
(the number "2" depends on where the main source code is)
after that, all I had to do was:
temp = document.scripts[2].outerText;
temp.indexOf("csrf_token")
and couple of other things to get the csrf_token
Does this mean if I can do xss (or run custom JS on the website), then csrf token can fail?
Thanks in advance :D
Upvotes: 1
Views: 181
Answers (1)
Quentin
Reputation: 943214
Does this mean if I can do xss (or run custom JS on the website), then csrf token can fail?
Yes. If there is a security hole that lets an attacker perform XSS, then CSRF protection can be circumvented (as can many other things).
The trick is to defend against all kinds of attacks. :)
Upvotes: 1
Related Questions
- CSRF token generation
- When should CSRF tokens be needed?
- is putting token in URL secure to prevent CSRF attacks in PHP applications?
- Passing a CSRF token
- How to protect against CSRF
- Preventing CSRF with tokens in a AJAX based application
- CSRF and ever changing tokens
- Is this a secure way to set the token CSRF?
- CSRF protection: do we have to generate a token for every form?
- anti-CSRF token and Javascript