If an attacker can read hidden fields then how is sending anti CSRF token in a hidden field useful?
I am preparing for an interview and came across CSRF.I know that CSRF is possible because whenever our browser sends a request to the website we are logged in it automatically sends cookies with it too. For the authentic server to know if the user really made a request, this article suggests that a anti CSRF token should be added as an hidden value in every request sent by the browser. This way the authentic server will know which request was forged and which was not as an attacker cannot predict the anti CSRF token.
But this post says that an attacker can easily see the hidden values. Doesn't this make the above suggested mitigation useless? I am confused.
Aucun commentaire:
Enregistrer un commentaire