How does this save my form from csrf attack?

StackOverflow https://stackoverflow.com/questions/20681733

Pregunta

I have this form

<form>
//code
<input type="hidden" value="gfth35rfer43556thgrth8678gbfgb" name="csrf">
</form>

Token is unique for every user. Now suppose attacker is logged in and open this page. Now he knows what current session token is , by copying the value above the attacker has authentication token. He can attack my site easily. How does this procedure prevents csrf attack?

¿Fue útil?

Solución

Given:

  • Alice - a user
  • Bob - someone who runs a site
  • Mallory - an attacker

The point of CSRF protection is to prevent Mallory from tricking Alice into submitting data provided by Mallory (using Alice's user credentials).

Since Alice and Mallory have different tokens, Mallory cannot just "copy the value above".

It isn't there to prevent Mallory submitting data using their own credentials. To solve that problem you need to decide how much trust to give to different users.

Licenciado bajo: CC-BY-SA con atribución
No afiliado a StackOverflow
scroll top