Reputation: 953
Is it a risk to put the CSRF Token in a GET request URL?
TL;DR Why is it bad to put a CSRF Token in the GET request parameter?
Set up to the problem.
I have a search form on a SaaS app where the CSRF token is being injected for every form including the GET forms. This seems bad to me, but I can't articulate why and I'm being asked to.
All traffic is encrypted. So the GET parameters can't be wire sharked and scraped.
The worst scenario I can see here is some sort of social engineering where a malicious actor would ask someone to copy the URL and the user just handing it over without thinking it's dangerous.
Otherwise I can't really think of a scenario where a drive by hack is possible without the hacker going through the trouble of setting up a man in the middle scenario, and in which case they would probably be set up to do worse things without that CSRF Token.
what am I missing here?
Upvotes: 2
Views: 2855
Answers (1)
Reputation: 600
Have a look at the OWASP CSRF Prevention Cheat Sheet and specially the section about Disclosure of Token in URL
Upvotes: 1
Related Questions
- Security against CSRF attacks via GET requests?
- Do I need CSRF protection for /login endpoint?
- is putting token in URL secure to prevent CSRF attacks in PHP applications?
- csrf_token displayed as a URL parameter
- Disclosure of CSRF Token in URL vs including the token in POST request
- Why not include CSRF protection for GET apis?
- Is CSRF protection for side effect free GET requests needed?
- CSRF token, for data retrieving request
- csrf_token at get request - does that make sense?
- Is using GET with a tokenID for security a good idea?