Answer the question
In order to leave comments, you need to log in
CSRF secret key, eternal session?
Hello everyone, I'm interested in protection against CSRF attacks.
Everything would be fine, when initializing the session, I generate a unique token, insert it into all forms and check it before processing, but I don’t understand here.
Wouldn't such an attack work?
since the attack passes checks like -authorization and so on, won't it pass through the token?
Here is an example:
I went to the bank's website, logged in, a unique token was generated for protection, it is in session.
I go to the site where there is a post with a picture:
смотри на картиночку <img src=" bank.example .com/peredat=100000&for=komu-to.. " alt="check me">
Answer the question
In order to leave comments, you need to log in
no, it didn't work. if the token is issued by a POST request, then it will not be possible to get it from the victim's browser
1. I went to the page with the form, the token was generated.
2. I didn't do anything left the site.
3. went to the site of the attacker, with the same picture
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question