CSRF in token based authentication

Question

We have a token based OAuth authentication mechanism for our angularjs application. The acunetix tool indicated that XSRF threat is there.

Is CSRF an issue for token based authentication (Because we are not using any cookies for user identification / authentication / sessions)?

If CSRF is an issue for token based authentication, is there be any way to implement prevention without using cookies?

Answer 1

As far as I know token based authentication is in no way affected by CSRF. E.g. if you use cookies, and bad guys lure users into their site where they can create a special button that will do a post to your site -> here is CSRF where you can execute some requests on behalf of the users.

Now if you use tokens that are stored in session/local storage e.g., they are never automatically passed with the request. You probably use something like angular interceptor or similar technology to pass it along with every XHR request. This never happens automatically.

You can read a bit more on token auth in this very good post. In point number 6 there is a little section about XSRF/CSRF, XSS.

In my modest experience these big security tools can often tell you something that is not true just to make themselves more "significant". But it would be interesting to know exactly how it plans to execute CSRF and what exactly made it think it is possible? E.g. you might have a cookie that you missed?

P.S. XSS attack (to steal token) gets more possible with tokens, since you can put HTTP-only like for cookies. So any successful XSS will be able to read your token, so you need to make sure that you have a good protection against that. But it's usually covered well by frameworks.