Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
R
R
redya692015-01-26 23:34:46
XSS
redya69, 2015-01-26 23:34:46

Csrf attacks. Anti-csrf token - a panacea?

I ran into the problem of Csrf attacks on my site.
Read how to get rid of it. Everywhere they write that they use Anti-csrf token and that, allegedly, it is guaranteed to save.
How the attack is performed now:
The user of my site is sent a link, he follows it, a POST request is made to my site, where some actions are performed on his behalf.
With Anti-csrf token: what prevents you from first making a request to the page where this token is generated, and then making a POST request with the same token in the same way?

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

1 answer(s)
Report
S
SagePtr, 2015-01-27
@redya69

Because you can send a form to another site, but you can't read exactly what data was returned by this form, and in general you can't download and read arbitrary data from another site. Of course, if you allow ajax from any origin, then an attacker can easily execute and read the token.

Similar questions
P
Pavel K2017-06-18 00:05:10
How to do JSON escaping? 1Reply
K
komarevtsev2017-07-11 04:16:34
How to properly protect against xss? 3Reply
K
komarevtsev2017-07-21 09:38:05
XSS on page for internal use? 2Reply
N
NO1nam2020-01-24 15:40:37
How to replace the script? 3Reply
T
Tremo2017-11-18 15:55:37
How to bypass firefox xss protection which encodes url and prevents XSS from firing? 2Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question