Perhaps a stupid question, but not catching up. If the cstf-token is stored in the hidden form field, what prevents the attacker's website from downloading the html-page, parsing the token, and already using it in the link / attack?
- And he has his every session. You don’t just get another token. - VladD
- @VladD Why? Well, for example, I logged in to the site. On site.com/profile/delete there is a form and a button for deleting a page. I opened a new tab with a malicious site. A malicious site makes the file_get_contents page site.com/profile/delete receives a token from there (after all, we are logged in) and makes a post delete request. - GroZa
- Let's say you logged in on site X. And I also logged in. And we visited the malicious site Y. Now site Y sends a request to site X. How does site X know that it means an attack on your account, and give it your token, not mine? Answer: no, he will ask for a username and password. - VladD
- @VladD a minute. If Y receives the html code of page X, doesn’t he get the token of the user who is authorized. That is, Y open on your computer will receive your token. In my - my? - GroZa
- one@GroZa opened at least a wiki and would read about CSRF and there would be no such questions - ru.wikipedia.org/wiki/… CSRF-token protects against fake requests by a third party. Those. whatever for example I did not send a request on your behalf. And in your example you will receive your token and make a request on your own behalf. - Alexander Andreev
|