Answer the question
In order to leave comments, you need to log in
Csrf attacks. Anti-csrf token - a panacea?
I ran into the problem of Csrf attacks on my site.
Read how to get rid of it. Everywhere they write that they use Anti-csrf token and that, allegedly, it is guaranteed to save.
How the attack is performed now:
The user of my site is sent a link, he follows it, a POST request is made to my site, where some actions are performed on his behalf.
With Anti-csrf token: what prevents you from first making a request to the page where this token is generated, and then making a POST request with the same token in the same way?
Answer the question
In order to leave comments, you need to log in
Because you can send a form to another site, but you can't read exactly what data was returned by this form, and in general you can't download and read arbitrary data from another site. Of course, if you allow ajax from any origin, then an attacker can easily execute and read the token.
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question