Home Forums Why can’t someone scrape a CSRF token from a website to circumvent CSRF protection? Reply To: Why can’t someone scrape a CSRF token from a website to circumvent CSRF protection?

#359974

InverseX

Yes, the Same Origin Policy is the reason. An external site can’t host JavaScript that will read the CSRF token and process it with further requests.

Saying that, if you find a XSS vulnerability on the target site, that can be used to bypass the SOP (you’re now making JS requests from the site itself) and defeat CSRF tokens.

It’s the common case of low severity bugs coming together to make something more impactful.