Reputation: 831
Disclosure of CSRF Token in URL vs including the token in POST request
I am trying to implement CSRF protection using CSRF token in one of my projects. I am new to this and was reading about sending CSRF token in a request to the server and found out that sending CSRF token as HTTP POST is recommended over GET. My question is:
If HTTP URL exposes the CSRF token in GET request, and the potential attacker can create the CSRF request using this CSRF token and attack using Javascript, then why can't he do the same when the CSRF token is stored as hidden field in a form? If my site has XSS vulnerability, then the attacker can get the token from hidden field and send the request along with that token.
Thanks in advance !!
Upvotes: 2
Views: 2743
Answers (1)
Reputation: 67019
The answer to this problem comes from the Same-Orign Policy. Simply put: JavaScript on a malicious website cannot read the contents of a form on another site. It would be as if StackOverflow.com could read your email on gmail.com, and thankfully this is impossible.
A CSRF token sent via GET is a considered harmful because the HTTP referer can leak the data to an 3rd party domain. In order for this to work, an attacker would need to embed an image or a clickable link.
Also consider reviewing the CSRF Prevention Cheat Sheet.
Upvotes: 2
Related Questions
- CSRF protection with CORS Origin header vs. CSRF token
- Rails authenticity_token on a form vs csrf token
- Why bother requiring CSRF token on POST requests?
- Is it a risk to put the CSRF Token in a GET request URL?
- is putting token in URL secure to prevent CSRF attacks in PHP applications?
- csrf_token displayed as a URL parameter
- Anti forgery token as header field or as Post value on AJAX?
- When its Necessary to Protect Forms with Token (CSRF attacks)?
- Protecting form submit with ajax: with or without csrf token
- For securing forms, when do I issue the token?