2

I am trying to implement CSRF protection using CSRF token in one of my projects. I am new to this and was reading about sending CSRF token in a request to the server and found out that sending CSRF token as HTTP POST is recommended over GET. My question is:

If HTTP URL exposes the CSRF token in GET request, and the potential attacker can create the CSRF request using this CSRF token and attack using Javascript, then why can't he do the same when the CSRF token is stored as hidden field in a form? If my site has XSS vulnerability, then the attacker can get the token from hidden field and send the request along with that token.

Thanks in advance !!

Vikas Mangal
  • 793
  • 2
  • 7
  • 22
  • Why do you need csrf protection on get requests? – PeeHaa Sep 03 '16 at 19:17
  • I don't need it, but in future I might want to send the token in the URL exposed as a simple anchor tag. – Vikas Mangal Sep 03 '16 at 19:19
  • Why would you do that? What it is the point of it? Related: http://stackoverflow.com/questions/3477333/what-is-the-difference-between-post-and-get – PeeHaa Sep 03 '16 at 19:34
  • Also I suggest to read up on what CSRF is because there is no (need for) JS (to be) involved. – PeeHaa Sep 03 '16 at 19:36

1 Answers1

2

The answer to this problem comes from the Same-Orign Policy. Simply put: JavaScript on a malicious website cannot read the contents of a form on another site. It would be as if StackOverflow.com could read your email on gmail.com, and thankfully this is impossible.

A CSRF token sent via GET is a considered harmful because the HTTP referer can leak the data to an 3rd party domain. In order for this to work, an attacker would need to embed an image or a clickable link.

Also consider reviewing the CSRF Prevention Cheat Sheet.

rook
  • 62,960
  • 36
  • 149
  • 231
  • Yes, but the data (CSRF token) can also be leaked if my site has XSS vulnerability and the attacker injects the javascript to read that token. Right ? – Vikas Mangal Sep 04 '16 at 18:53
  • 1
    @Vikas Mangal Of course, because XSS is a full SOP bypass. Please refer to the CSRF Prevention Cheat Sheet, as XSS's ability to bypass CSRF protection strategies is covered in greater detail. – rook Sep 04 '16 at 19:34
  • GET-CSRF token will land in server logs, then if might be exploited by chaining HTTP referer + open redirect attack. MitM and access to server logs are too overpowered exploits which are more severe by itself than simple csrf token leak. But "HTTP referer + open redirect attack" is imho a valid attack vector. You could use just a different token only for this specific GET-request and renew it every time - if it leaks ... no problem - you'll just get a new one from the server. – Awaaaaarghhh Apr 15 '20 at 09:39