Create an account

Very important

  • To access the important data of the forums, you must be active in each forum and especially in the leaks and database leaks section, send data and after sending the data and activity, data and important content will be opened and visible for you.
  • You will only see chat messages from people who are at or below your level.
  • More than 500,000 database leaks and millions of account leaks are waiting for you, so access and view with more activity.
  • Many important data are inactive and inaccessible for you, so open them with activity. (This will be done automatically)

0Day Forums Coding FrameWork What stops someone from reading CSRF tokens in form inputs with JS

Thread Rating:
  • 245 Vote(s) - 3.52 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Options
What stops someone from reading CSRF tokens in form inputs with JS

Offline freeliving372


Member
*
Member
Posts: 0
Threads: 0
Joined: Mar 2022
Reputation: 0
Level: inf [Level]
Total Points: inf
Rank nan / 1
100% to upload Level
Rank
Activity inf / 1
99% to upload your Rank
Activity
Experience nan
100% to upload Experience
Experience

Points: 50
#1
07-20-2023, 03:22 PM
Most frameworks I've looked at will insert into forms a hidden input element with the value being a CSRF token. This is designed to prevent user Bob from logging in on my site and then going to

[To see links please register here]

which embeds img tags or JS that tell my site to execute requests using Bob's still logged in session.

What I'm not getting is what stops JS on badsite.com from AJAX requesting a URL with a form on my site, regex-ing the CSRF token from the hidden input element, and then AJAX posting to my site with that valid CSRF token?

It seems to me that you'd want to use JS to insert the CSRF token into the form at runtime, pulling the value from a cookie (which is inaccessible to badsite.com). However, I've not heard this approach mentioned and so many frameworks do the simple hidden input with the CSRF token, I'm wondering if my solution is over-engineered and I'm missing some part of what makes the hidden input method secure.

Can anyone provide some clarity? Thanks!
Reply

Offline gumbo57


Luxury
*****
Luxury
Posts: 0
Threads: 0
Joined: Feb 2017
Reputation: 0
Level: inf [Level]
Total Points: inf
Rank nan / 1
100% to upload Level
Rank
Activity inf / 1
99% to upload your Rank
Activity
Experience nan
100% to upload Experience
Experience

Points: 50
#2
07-20-2023, 03:31 PM
> what stops JS on badsite.com from AJAX requesting a URL with a form on my site

The [Same Origin Policy][1] (unless you subvert it with overly liberal [CORS](

[To see links please register here]

) headers). JavaScript running on a site can't read data from a site hosted on a different host without permission from that host.

There are workarounds to the SOP, but they all either require the co-operation of the host the data is being read from (JSON-P, CORS), or don't pass any data that identifies a specific user (so can't access anything that requires authorisation).


[1]:

[To see links please register here]

Reply

« Next Oldest
Next Newest »


Forum Jump:


Users browsing this thread:
1 Guest(s)

©0Day  2016 - 2023 | All Rights Reserved.  Made with    for the community. Connected through