What is a CSRF token? What is its importance and how does it work?

by

Cross-Site Request Forgery (CSRF) in simple words

  • Assume you are currently logged into your online banking at www.mybank.com
  • Assume a money transfer from mybank.com will result in a request of (conceptually) the form http://www.mybank.com/transfer?to=<SomeAccountnumber>;amount=<SomeAmount>. (Your account number is not needed, because it is implied by your login.)
  • You visit www.cute-cat-pictures.org, not knowing that it is a malicious site.
  • If the owner of that site knows the form of the above request (easy!) and correctly guesses you are logged into mybank.com (requires some luck!), they could include on their page a request like http://www.mybank.com/transfer?to=123456;amount=10000 (where 123456 is the number of their Cayman Islands account and 10000 is an amount that you previously thought you were glad to possess).
  • You retrieved that www.cute-cat-pictures.org page, so your browser will make that request.
  • Your bank cannot recognize this origin of the request: Your web browser will send the request along with your www.mybank.com cookie and it will look perfectly legitimate. There goes your money!

This is the world without CSRF tokens.

Now for the better one with CSRF tokens:

  • The transfer request is extended with a third argument: http://www.mybank.com/transfer?to=123456;amount=10000;token=31415926535897932384626433832795028841971.
  • That token is a huge, impossible-to-guess random number that mybank.com will include on their own web page when they serve it to you. It is different each time they serve any page to anybody.
  • The attacker is not able to guess the token, is not able to convince your web browser to surrender it (if the browser works correctly…), and so the attacker will not be able to create a valid request, because requests with the wrong token (or no token) will be refused by www.mybank.com.

Result: You keep your 10000 monetary units. I suggest you donate some of that to Wikipedia.

(Your mileage may vary.)

EDIT from comment worth reading by SOFe:

It would be worthy to note that script from www.cute-cat-pictures.org normally does not have access to your anti-CSRF token from www.mybank.com because of HTTP access control. This note is important for some people who unreasonably send a header Access-Control-Allow-Origin: * for every website response without knowing what it is for, just because they can’t use the API from another website.

More Related Contents:

  1. Disable CSRF validation for individual actions in Yii2
  2. WARNING: Can’t verify CSRF token authenticity rails
  3. How to properly add cross-site request forgery (CSRF) token using PHP
  4. jQuery Ajax calls and the Html.AntiForgeryToken()
  5. “The page has expired due to inactivity” – Laravel 5.5
  6. Passing csrftoken with python Requests
  7. Turn off CSRF token in rails 3
  8. Do login forms need tokens against CSRF attacks?
  9. CSRF (Cross-site request forgery) attack example and prevention in PHP
  10. codeigniter CSRF error: “The action you have requested is not allowed.”
  11. rails – “WARNING: Can’t verify CSRF token authenticity” for json devise requests
  12. CSRF Token necessary when using Stateless(= Sessionless) Authentication?
  13. Laravel catch TokenMismatchException
  14. What is the right way to use angular2 http requests with Django CSRF protection?
  15. Rails API design without disabling CSRF protection
  16. New CSRF token per request or NOT?
  17. Django CSRF framework cannot be disabled and is breaking my site
  18. Angular 6 does not add X-XSRF-TOKEN header to http request
  19. Single Page Application and CSRF Token
  20. Rails CSRF Protection + Angular.js: protect_from_forgery makes me to log out on POST
  21. CSRF protection with CORS Origin header vs. CSRF token
  22. CSRF verification failed. Request aborted
  23. CSRF state token does not match one provided FB PHP SDK 3.1.1 Oauth 2.0
  24. Using MVC3’s AntiForgeryToken in HTTP GET to avoid Javascript CSRF vulnerability
  25. Codeigniter CSRF valid for only one time ajax request
  26. How do I solve an AntiForgeryToken exception that occurs after an iisreset in my ASP.Net MVC app?
  27. CSRF Token missing or incorrect
  28. What does Cookie CsrfTokenRepository.withHttpOnlyFalse () do and when to use it?
  29. Am I under risk of CSRF attacks in a POST form that doesn’t require the user to be logged in?
  30. Understanding CSRF

Leave a Comment