Answer the question
In order to leave comments, you need to log in
How does AntiForgeryToken protect against csrf?
At first I found a simple description in one article.
When loading a page containing a form with a token, the server also sets a cookie containing this token to the client.
When a post request is made to a form, the client sends a token in the body of the request and specifies this cookie with the token. And they say, the server compares the received cookie and the token from the form when receiving a post request, and it protects us that the cookie belongs to the domain and it is not available from other domains.
That's what it said in that article.
Only here, what prevents you from creating an xmlhttprequest, creating a random token, registering it as a cookie for xhr, and putting it in the body, of course.
The server does not store what tokens it created there, it only compares the token from the cookie and from the request body, which means that you can use any random one?
In fact, of course, I already checked that the token and cookie are encrypted differently there, but you can parse the algorithm how they are encrypted in order to generate a pair of token and cookie such that the server will fail them.
UPD: " what prevents you from creating an xmlhttprequest, creating a random token, registering it as a cookie for xhr , and putting it in the body, of course."
It interferes with the fact that the browser will not allow you to set cookies via setRequestHeader () for a cross-domain request.
Answer the question
In order to leave comments, you need to log in
I don't know about ASP.NET, but usually the csrf token changes on every request. What is inside it and how it is encrypted - it does not matter, the important thing is that it is different.
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question