Is CSRF possible if i know the value of the authorization bearer token?

Question

If i know the value of bearer token of the victim, can i generate a get csrf page and set a custom Autorization: Bearer [token] header?

Answer 1

If you know the Bearer Token, CSRF is not necessary anymore*.

The purpose of a CSRF attack is to get the victim to send a request (and by extension, to cause an effect), including their own autorization. As a result, the attacker can cause autorized effects without ever knowing the autorization credentials.

If you have access to the Bearer Token, which is what is used to autorize a request (any by extension, an effect), then the server can't differentiate between the attacker sending the request and the victim sending the request.

What if I can't reach the server?

Ah, you've seen the little asterisk in the above title. Sometimes, you are in a position where the victim can access a server - perhaps an internal server - and you as the attacker can't. In such a case, even with the Bearer Token, you will not be able to communicate directly with the server, and you will not be able to abuse a CSRF attack to cause your victim to send a request on your behalf...yet.

Why yet?

We rely on this being impossible because forms can't set custom HTTP headers. We don't know how browsers will be like in 10 years. Some people rely on using PUT for "sensitive" information to "protect against CSRF", and while it is true that you can't use a form to send a PUT request right now, we can't guarantee that we will never be able to send PUT requests via forms.

Likewise, if our security depends on the fact that browsers don't enable us to set custom headers, and nothing else, then our security is effectivly defeated as soon as a browser vendor decides that this is the next cool thing they implement.

Answer 2

The authorization token alone is often sufficient to impersonate the user, so you likely don't need CSRF at all. CSRF is only typically useful when you don't have credentials, but can get an authenticated user to visit your website.

If for some reason you did need to set a header in a CSRF page, you will likely trigger a preflight request which will be denied, due to same-origin-policy and header checks.