0

I have been reading all over the internet that I should have CSRF token on my page and this will protect it from CSRF.

However, I can imagine a scenario where anti-CSRF is not helpful. Is my understanding wrong somewhere? Scenario is following.

My website (example.com) has a form with anti-CSRF-token field on it. The attacker creates own page (example2.com), on which he places js code that does following in background:

  • submit GET request to 'example.com'
  • scrape anti-CSRF-token out of it (since he can see the structure of the page by using it himself)
  • make a malicious request to 'example.com' including the scraped value of token, so that my server cannot know that request is not valid

Now, if such scenario is possible, it would mean that whole CSRF-token protection useless!

ironic
  • 135
  • 3

1 Answers1

0

CSRF tokens are unique for each user and stored on either the server or client side. This means an attacker would have to guess the value of your CSRF token to attack you. If the token is generated using a cryptographically secure PRNG, a basic attack like you describe is not possible.

zinfandel
  • 1,233
  • 8
  • 10