Home/ Questions/Q 3936882
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-20T00:00:08+00:00

I’m just wondering if it’s possible to xsrf-attack this: <form …> <input type=hidden name=token

  • 0

I’m just wondering if it’s possible to xsrf-attack this:

<form ...>
<input type="hidden" name="token" value="xsrf-generated-token" />
... fields+submit button ...
</form>

using javascript – like:

  • attacker gets me to his site
  • then he calls javascript with GET /admin/users/test/edit
  • he parses xsrf token (using regexes – dom wouldn’t work because of same-origin-policy)
  • and send signed edit…

shouldn’t be GET /admin/users/test/edit signed by token as well?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    The reason is that normal ajax requests (Using XHR) are limited by the same origin policy. So that means that in order for this to work, you’d first need to exploit a XSS vulnerability before you could execute the CSRF vulnerability.

    Now, it may appear that JSONP might be a way around that. But it’s not. Since JSONP uses script tags, the result of the request would be fed right in. And since the result is HTML and not JS, a syntax error should be thrown.

    So there should be no way to ever get the token without first compromising the site itself. But two things should be noted that this all depends upon:

    1. All browsers all correctly implement same origin policy protection

    2. You’re not passing the token to the form via JSON (for if you were, JSONP would be able to read it).

    • 0