+ 3
Why doesn't a Hacker Have access to the CSRF Token?
If the user presses a malicious link which makes the user do an operation on a site that the user is already logged into(transferring money for example)... the session ID and the CSRF Token are being sent in the http request. Session ID for authentication of which user is sending the request, and the Token to prevent a CSRF attack. So why is the CSRF Token considered safe? The hacker doesn't need to know it anyways.. like he doesn't need to know the session ID. (It'll be considered safe only if the hacker sends a link that redirects the user to his malicious website that sends the http request... that way the hacker will need to know what's the Token...)
4 Answers
+ 2
Jazz right, but what if a hacker sends a link to the real bank site (for example..), but the URL parameters will make a transfer to the hacker's account.
This http request is sent from the original site, so will the csrf token protect here?
And when is a new csrf Token being generated? How often?
+ 1
Jazz that's not what I meant :)
Let's say a hacker sends a link like so:
http://bank.com/transfer?to_user=attacker&amount=10000
That link is the real link of the bank.
The hacker assumes that the victim is logged into his account while clicking the link.
The money transaction will execute immediately (if there is no security as typing your username and password again, secret code etc..).
The CSRF Token is useless in this case, am I right?
+ 1
Jazz I understand, let me just make sure though:
When clicking a link that redirects you to an attackers site which sends a request to the real bank site - it won't be able to work because the hacker doesn't know what is the CSRF Token and thus it's not in the form and the request won't work.
And when clicking a link to the real bank site, the url must contain the csrf Token (if it's a secure bank site), thus the hacker won't know it and the link won't work.
Am I right?
+ 1
Jazz Thanks for your help and patience, have a good day :)