Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
What exactly are the risks I’m exposing myself to if I don’t use csrf tokens in my forms? I’m not looking for simple labels or names of the risks, because these can be confusing. I need to understand what exactly an attacker can do and only under what circumstances they can do this, in plain English.
A CSRF vulnerability is one which allows a malicious user (or website) to make an unsuspecting user perform an action on your site which they didn’t want to happen.
Some real world examples would be things like if you allowed a user to delete an account over GET instead of POST, someone could post the following comment on your site (assuming the site has some way to post comments or other input, etc.)
And now any time a logged in user loads that page, their account would be deleted. If it was done over POST instead of GET, someone could craft a form and trick users into submitting it and the same result would happen. Whereas if you used a CSRF token, this wouldn’t be possible.
Another example would be that an external site could craft a form which POSTs to your site, and perform an undesirable action. So let’s say your site has a shopping cart which doesn’t use CSRF tokens. A malicious site could create a form with a button that says “Click here to register”, but actually orders 1000 of something from your site. If a logged in user from your site visits this malicious site and clicks the button, they’ll get a nice surprise in the mail.
Obviously there are other cases, these are just a few examples. A Google search should show up plenty of articles and tutorials, many of which will probably have some other examples. The Wikipedia page also has some examples which you might find interesting.
The main idea of the examples is that someone can trick your site into performing an action as if it came from a user, when really the user wasn’t aware it was happening or didn’t want it to happen. If you have any sort of action on your site which is destructive (i.e. can delete things from a user account, logout a user, etc.) or critical (i.e. deals with money) you should probably use CSRF tokens. If your site is just a photo album for friends, etc. then you probably don’t need to bother with CSRF tokens (although it’s always good to practice for when you do build a site that needs them).
Unless you add a token to ensure that a request came from a form your site presented to the user intentionally, you don’t really have a way of knowing if the user intended to perform the action.
So you always want to use a unique token on every form you generate that POSTs and validate any requests that are POSTed to your site have a valid token for the current user. Also make sure to expire the tokens after some amount of time so that they don’t last forever.