Why can’t someone scrape a CSRF token from a website to circumvent CSRF protection? – Digitalmunition

Home Forums Why can’t someone scrape a CSRF token from a website to circumvent CSRF protection?

This topic contains 1 reply, has 2 voices, and was last updated by  InverseX 2 months, 1 week ago.

  • Author
  • #359973


    Hi there, I’m a beginner so sorry if this question is a bit “dumb”. As far as I understand CSRF tokens, it’s a random value that is implemented in the page and must be send with an request, where it will be checked in the server to validate that it really is the client who makes the request. However, since it’s part of the web page it can be scraped and then be implemented in a request by itself. So why is it not possible to make an CSRF attack with a scraped token?

    Edit: As I wrote the question the Same Origin Policy crossed my mind. Is that the reason?

  • #359974


    Yes, the Same Origin Policy is the reason. An external site can’t host JavaScript that will read the CSRF token and process it with further requests.

    Saying that, if you find a XSS vulnerability on the target site, that can be used to bypass the SOP (you’re now making JS requests from the site itself) and defeat CSRF tokens.

    It’s the common case of low severity bugs coming together to make something more impactful.

  • #359975


    Your question was answered. But i just wanted to say kudos for asking a good question and thinking it through. Well asked, and kudos to the lovely people who answered, with well written, understandable answers.

  • #359976


    You can scrape csrf tokens for your own / anonymous sessions without issue. From an attacker perspective, there’s nothing you can do with this without being able to reason the CSRF tokens from _others_. There are addition ways sites protect against CSRF related issues like requiring arbitrary headers to process requests or storing the csrf tokens in a cookie and comparing that value with what’s supplied via the form submission.

  • #359977


    Because CSRF tokens are generated for each session, sometimes for each web form. The token you can get is for your session/form only.

  • #359978


    It is unique to requests so the scraping request would get a different csrf token from everyone else.

You must be logged in to reply to this topic.