How does AntiForgeryToken work? I think I can fake it.



  • Based on the information I found, I understood that as follows. Server generates a unique token every time he sends the HTML user a form. Then, together with the form, the token is sent to the server and the latter will validate it and reject or accept the request.

    CSRF ' s attack is based on the principle that, in the victim ' s browser, we send a false form to a server where we are authorised and have the necessary villain of the vegetation. But without AntiForgeryToken, the request will be rejected.

    Now the moment I don't understand is that if I first ask for the form from the server, I'll get the token I need, put it in my data form and send it to the server. In the end, I'm going to break the entire CSRF attack. Given that in the victim's browser I have the authority I need, I can certainly send a request for this form with a token.

    Can someone tell me I didn't take my mind?



  • https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy (SOP) did not take into account, for example (kstats, on the reference page and on the CSRF token). When it's on, You'll be able to get your uniform.And to get an answer to her, where you have the token you need, no. Brauser will refuse by referring to SOP.

    The service owner can weaken SOP with CORS. If the owner of the service has placed it in important locations. * (whoever) He's, uh, a SDS.

    Also, the SOP may not be maintained or turned off in the browser. The first is small with modern browsers, and the latter requires considerable control of the victim ' s system.


Log in to reply
 


Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2