This topic contains 1 reply, has 2 voices, and was last updated by InverseX 2 months, 1 week ago.
- February 7, 2021 at 4:35 am #359973
Hi there, I’m a beginner so sorry if this question is a bit “dumb”. As far as I understand CSRF tokens, it’s a random value that is implemented in the page and must be send with an request, where it will be checked in the server to validate that it really is the client who makes the request. However, since it’s part of the web page it can be scraped and then be implemented in a request by itself. So why is it not possible to make an CSRF attack with a scraped token?
Edit: As I wrote the question the Same Origin Policy crossed my mind. Is that the reason?
- February 7, 2021 at 4:36 am #359974
Saying that, if you find a XSS vulnerability on the target site, that can be used to bypass the SOP (you’re now making JS requests from the site itself) and defeat CSRF tokens.
It’s the common case of low severity bugs coming together to make something more impactful.
- February 7, 2021 at 4:36 am #359975
Your question was answered. But i just wanted to say kudos for asking a good question and thinking it through. Well asked, and kudos to the lovely people who answered, with well written, understandable answers.
- February 7, 2021 at 4:36 am #359976
You can scrape csrf tokens for your own / anonymous sessions without issue. From an attacker perspective, there’s nothing you can do with this without being able to reason the CSRF tokens from _others_. There are addition ways sites protect against CSRF related issues like requiring arbitrary headers to process requests or storing the csrf tokens in a cookie and comparing that value with what’s supplied via the form submission.
- February 7, 2021 at 4:36 am #359977
Because CSRF tokens are generated for each session, sometimes for each web form. The token you can get is for your session/form only.
- February 7, 2021 at 4:36 am #359978
It is unique to requests so the scraping request would get a different csrf token from everyone else.
You must be logged in to reply to this topic.