Reputation: 333
CSRF Requesting the nonce makes malicious POST possible?
I am trying to wrap my head around csrf protection and there is something I have trouble understanding. Maybe someone can give me the insight I need :).
What I understand
Say we have no csrf protection. Someone logs in to a website A with his/her credentials. After valid login a session cookie is stored in the browser. The user POSTS some data through a form and the sever accepts it with no trouble. Since we have no csrf protection this opens the system up for a vulnerability.
The user visits another website B, a malicious website like a phishing attempt. This website is posting to website A in the background with some javascript xhr request for example. The browser has the cookie stored for website A and since the user was logged in already this is a valid session. Therefore website A will accept the post without any trouble.
To solve this csrf protection comes in. Upon loading the page with the form on website A from the server a nonce (one time code) is generated. This code must be submitted with the form so the server can check if this post came from the same session that requested the form. If the code is the same as the one that was just generated the form is accepted. If the code is missing or incorrect, the server says no.
Question
If malicious website B first makes a get request to the page that renders the form. It would be able to fetch the token to send along with the post request afterwards. Right? Am I missing something obvious?
Thanks!
Upvotes: 0
Views: 222
Answers (1)
Reputation: 271
I understand that you concern is that a malicious website can request your anti-CSRF token.
You would need to prevent cross-origin reads or embedding of pages or endpoints that returns the CSRF tokens. One of the important things to keep in mind is that CORS don't provide CSRF protection, as preflight CORS requests are not always executed by the browser, for example when using regular html forms.
Most modern browsers block cross origin requests by default. When you do need cross origin requests for your own domains, can you do that by setting the correct Cross Origin headers, like Access-Control-Allow-Origin: sub.domain.com.
To prevent embedding in an iframe you can implement the X-Frame-Options: to DENY, or SAMEORIGIN.
You can find more information on https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy
Upvotes: 1
Related Questions
- Why json hijacking can be prevented using POST method?
- Why bother requiring CSRF token on POST requests?
- REST and CSRF (Cross-Site Request Forgery)
- CSRF protection by storing nonce in Session variable and form
- CSRF Protection for non form post requests
- CSRF - Can forged POSTs contain arbitrary data?
- Preventing CSRF by generating a nonce token?
- Do I need to use a 'nonce' token in ASP.NET WebForms to guard against CSRF?
- Am I under risk of CSRF attacks in a POST form that doesn't require the user to be logged in?
- CSRF: can the JSON data returned by a POST request be stolen?