Good afternoon everyone, I read a lot about csrf and the fact that to protect against this attack it is advised to use tokens: https://learn.javascript.ru/csrf , Wikipedia, etc.

But what is the defense? If the user is logged in to the complex, say, Internet banking, and the essence of CSRF is in the logged in complex. What prevents to get the desired form of Internet banking, pull out the necessary Anti-CSRF token from it?

Code example:

<form action="http://localhost/csrf/" method="GET"> New password:<br /> <input type="password" AUTOCOMPLETE="off" name="password_new"><br /> Confirm new password:<br /> <input type="password" AUTOCOMPLETE="off" name="password_conf"><br /> <br /> <input type="submit" value="Change" name="Change"> <input type="hidden" name='user_token' value='' /> </form> <div id="token" style="display:none"><div> <script type="text/javascript"> xmlhttp=new XMLHttpRequest(); xmlhttp.open("GET", "http://bank.com/", false); xmlhttp.send(); var token = document.getElementById("token"); token.innerHTML = xmlhttp.responseText; tokens = document.getElementsByName('user_token'); tokens[0].value = tokens[1].value; </script>

What then is token protection?

What other ways to protect you know?

    1 answer 1

    You can not make such a request through Javascript, because the browser denies access to a third-party resource via Ajax.

    Cross-domain requests are subject to special security controls, the purpose of which is to prevent evil hackers from conquering the Internet.

    The developers of the standard provided all the barriers so that the “hacker” could not perform such actions.

    More information about the domain restriction rule (origin policy)

    • Thank you very much for the clarification. - user2264941