3

I know they say CSRF tokens are the most secure way to prevent CSRF attacks but what if someone uses XHR to retrieve the page containing the csrf token along with the form and then use that token for his attacks?

Why they don't say "Referer" header is the most secure way to prevent CSRF attacks? Afterall nearly 99% of the currently in-use browsers will provide "Referer" header and the attacker cannot change it in anyway. (Yes, he can't, unless the browser/OS itself is compromised)

Now that I protect my website using "referer" header, do I really need csrf tokens? All my important requests are using POST and not GET method.

rez
  • 133
  • 4

1 Answers1

3

... but what if someone uses XHR to retrieve the page containing the csrf token

The capabilities of such a cross-site XHR are restricted by the Same Origin Policy and could be extended by CORS. Without CORS explicitly allowing cross-site reading and also sending of the credentials (session cookie) it would not be possible for an attacker to do an XHR where the attacker can read the response in the first place and where CSRF tokens in the response are associated with an existing user session.

In other words: you will not be able to get useful CSRF tokens through your proposed cross-site XHR unless the server explicitly allows it.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424