Why can’t someone scrape a CSRF token from a website to circumvent CSRF protection? – Digitalmunition




Home Forums Why can’t someone scrape a CSRF token from a website to circumvent CSRF protection?

This topic contains 1 reply, has 2 voices, and was last updated by  InverseX 2 months, 1 week ago.

  • Author
    Posts
  • #359973

    anonymous
    Participant

    Hi there, I’m a beginner so sorry if this question is a bit “dumb”. As far as I understand CSRF tokens, it’s a random value that is implemented in the page and must be send with an request, where it will be checked in the server to validate that it really is the client who makes the request. However, since it’s part of the web page it can be scraped and then be implemented in a request by itself. So why is it not possible to make an CSRF attack with a scraped token?

    Edit: As I wrote the question the Same Origin Policy crossed my mind. Is that the reason?

  • #359974

    InverseX

    Yes, the Same Origin Policy is the reason. An external site can’t host JavaScript that will read the CSRF token and process it with further requests.

    Saying that, if you find a XSS vulnerability on the target site, that can be used to bypass the SOP (you’re now making JS requests from the site itself) and defeat CSRF tokens.

    It’s the common case of low severity bugs coming together to make something more impactful.

  • #359975

    Quadling

    Your question was answered. But i just wanted to say kudos for asking a good question and thinking it through. Well asked, and kudos to the lovely people who answered, with well written, understandable answers.

  • #359976

    i_hacked_reddit

    You can scrape csrf tokens for your own / anonymous sessions without issue. From an attacker perspective, there’s nothing you can do with this without being able to reason the CSRF tokens from _others_. There are addition ways sites protect against CSRF related issues like requiring arbitrary headers to process requests or storing the csrf tokens in a cookie and comparing that value with what’s supplied via the form submission.

  • #359977

    __lt__

    Because CSRF tokens are generated for each session, sometimes for each web form. The token you can get is for your session/form only.

  • #359978

    cryptoscryptoknight

    It is unique to requests so the scraping request would get a different csrf token from everyone else.

You must be logged in to reply to this topic.