Steal CSRF token
Asked Answered
Q

3

14

I've read other questions on Stack Overflow but didn't find a clear answer to this question:

What prevents the attacker to steal the user's CSRF token via JS? Can't he just find the CSRF element and get it's value with JS?

I am not very familiar with JS, but maybe something like that:

document.getElementById("csrft_token").value
Quiet answered 16/9, 2016 at 17:13 Comment(3)
Do you have an example JS that would be able to steal it under the same conditions where he would be able to execute an CSRF? Note the C in CSRF.Octroi
And how does your attacker get their JS code executed on this particular website?Centrifuge
If a third party can execute arbitrary Javascript on your site, you have much worse problems than csrf. That's like asking, "what's the point of a lock on my door if the bad guy has already knocked down the wall?"Airy
A
19

From OWASP (https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF) )

Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated. CSRF attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request. With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker's choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application.

The CSRF attack vector, by definition, is not on the same server as the server being attacked, so it doesn't have access to that information.

A rudimentary example:

Victim - Bob

Site - foo.com

Attacker - John

John has no access to foo.com, but he has access to Bob, either through a website or an email. He knows how foo.com works, so he can bind a request to either an email or a malicious website that is not on the foo.com domain. This will send the request and piggy-back off Bob's credentials.

The same-origin policy prevents John from seeing or intercepting anything of Bob's version of foo.com, which is why the CSRF key can be stored on the page Bob receives from foo.com without ever being seen by John.

If John were able to use JS to actually see the token, that would imply that John has access to requests from foo.com, in which case this would be either person-in-the-middle attack or an inside attack.

Basically, the goal of a CSRF key is to only stop a CSRF attack. If the CSRF key itself is being intercepted, then another attack has occurred.

Abiogenetic answered 16/9, 2016 at 17:37 Comment(0)
R
7

The short answer is: The Same Origin Policy. As an attacker would serve its malicious script from another origin, his script is not allowed to read data contained in another origin (I.e. the token).

However, if the site containing the token has a XSS vulnerability and the attacker uses that to load his script, the origin would match and he would be indeed be able to steal his token.

Reenareenforce answered 17/9, 2016 at 18:35 Comment(0)
T
2

TL;DR

Java script can access your DOM and Cookie .

You have to prevent Intruder's Java script to run on your users browser (XSS Attack),

in order to prevent them from CSRF Attack too.

Further information on tokens difference


For CSRF prevention there exists two popular method:

  • CSRF token
  • XSRF token

Steal CSRF

for an attacker to access CSRF token, he/she has to inject his js into victims web page to steal CSRF token. this attack is called XSS attack. so you have to prevent XSS attack too.

another possibility, is the attacker access victims memory which needs have malware with kernel space access.

Steal XSRF

XSRF are saving in cookies and should set Same-Site Policy as Lax or Strick to make browser not giving it to another script.

in additional victim's are vulnerable if saved cookie file on system is not protected with required privilege.

Tessie answered 22/12, 2020 at 21:3 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.