After reading many documents regarding CSRF, I’m still a little bit confused. So I hope someone can please explain it to me:
-
Lets say if I have a profile page which is for authenticated users only, say abc.com/profile which shows me all my private info. If I logged in, then go to a “bad” site, can this site somehow get and parse my profile page?
(I did a little experience by opening up the firebug console on a different site, then request my profile page, and it seems like at least I can see the whole content in “response” of the “Net” tab, haven’t figured out how to get this content and parse it yet though. But perhaps it’s possible?) -
Now assume that I have on my profile page a form, which of course has csrf token. Now if an attacker could get my profule page, he could just parse that content, get the token then submit a fake form?
-
Now assume that 1 and 2 are correct, what should I do to prevent such cases from happening?
Your first point is not correct.
You cannot read content from a different domain on the client.
Therefore, a hostile site cannot read the CSRF token.
You can send requests to a different domain (which is what CSRF attacks do), but you can’t read the responses.