Is it safe to use a signal auth-token in cookie for auth (post and requst only json via ajax)?
Why attacker can not get the form token in hidden field?
How an attacker do a CSRF attack with a POST request?
Share
Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
Is it safe to use a signal auth-token in cookie for auth (post and requst only json via ajax)?
Why attacker can not get the form token in hidden field?
How an attacker do a CSRF attack with a POST request?
Sort of, if that cookie is HTTP-only (which helps protect against XSS) and SSL then there’s no way anyone outside your site can read that cookie.
However, the user’s browser can retain that cookie, and will automatically send it whenever their browser requests a page from your application again. This is desired when the user is navigating your site, but also how a CSRF attack is possible.
In a CSRF attack the hacker can’t actually read your site or the cookie because it should be protected by SSL/HTTPS. CSRF works by fooling your browser into sending their data along with your secure data to your site.
So a value in a hidden field is part of the default defence against CSRF – they have a secret value in a cookie (which the hacker can fool the browser into re-sending but can’t see or edit) and the same value in a hidden input field in the encrypted page (which the hacker can’t get to). If the cookie and the hidden value don’t match then you have a CSRF attack.
Ok, so suppose you have a secure website. You can log into this site using SSL and you’ll get an HTTP-only SSL authentication cookie back that keeps you logged in.
Now I have a new page, on a completely different site. If I link to your site from mine then when you click on that link it will leave my site and go to yours, passing your cookie.
If I add an HTML
<form>to my page that POSTs back to your site the same thing happens: the browser goes back to your site and sends any data in the form, along with your cookie.Note that I haven’t read either your cookie or any pages on your site, as both are protected by SSL encryption.
For the full effect I can hide that form on the page so that the user doesn’t even realise that they’re posting back to your site.
A trivial example of this is the ‘Like’ functionality on Facebook – they’ve patched this now I think, but for a while I could fool your browser (without accessing your details) into sending your authentication cookie to the Facebook action that says you like something I want you to.