Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
So the “typical” CSRF protection method is storing a nonce in a session and in a hidden form element. Is it possible for an attacking website to first scrape the target form using the victim’s session, getting the hidden form token, and then send the token in their own form element? Testing this myself, it validates. I am just curious if it is possible for a bot to scrape the page and obtain the nonce.
If this is possible, then how can you protect against this type of attack?
If the attacker could scrape a victim’s page, he wouldn’t need to use CSRF, because he could basically do anything with the user’s data. This is actually called session hijacking and there are other ways of defending the user from it.