Vadim Samokhin
Vadim Samokhin

Reputation: 3456

csrf protection

There are quite a lot written about preventing CSRF.

But I just don't get it: why I can't just parse the csrf token in the target page form and submit it with my forge request?

Upvotes: 6

Views: 1090

Answers (4)

santon
santon

Reputation: 1834

CSRF attacks are blind. They do session riding and the attacker has no direct control unless he can extract the token via an XSS vulnerability. Normally a session wide token can be used. Rotating tokens per request might be an overkill and could lead to false alarms. I prefer to use tokens per resource with a master session token.

Upvotes: 1

Scott C Wilson
Scott C Wilson

Reputation: 20026

Because the value of the CSRF token isn't known in advance.

Upvotes: 0

Joergi
Joergi

Reputation: 1593

The CSRF token should be everytime for every user and for every request a totally different token, so it can never be guessed from an attacker.

For php, .net and javascript have a look in the OWASP CSRFGuard Project - if you are working with java and jsf 2.x its already save against CSRF (as long as you use POST and not GET - for this you will have to wait for JSF 2.2) else if you work without JSF the HTTPUtillities Interface from the OWASP ESAPI could be also very helpful!

Upvotes: 0

0x90
0x90

Reputation: 6259

If you are able to inject script code into the target page (XSS) then yes, you can do that thus rendering the CSRF prevention useless.

The CSRF token has to be stored in the page the end-user receives (or he won't know it either).

In fact, in security assessments, XSS usually evaluated not for its own damage potential but for its use in just such attacks.

Upvotes: 1

Related Questions