1
1
.
.
7
7
.
.
4
4
C
C
S
S
R
R
F
F
T
T
o
o
k
k
e
e
n
n
-
-
T
T
h
h
e
e
o
o
r
r
y
y
I
I
n
n
f
f
o
o
CSRF Token is one way of preventing CSRF Attack.
CSRF Token is a random value sent by Web App which is stored in a hidden Field inside the Form.
And which is then resent back to the Web App when User submits the Form.
This way Web App can make sure that HTTP Request came from the Web Page that was constructed by the Web App.
And not from the Web Page that was constructed by the Attacker.
We could say that CSRF Token Authenticates Web Page: From which Web Page is this HTTP Request coming?
So every time Web Application sends a Web Page to a User, there will be a Form with a hidden Field whose value
represents CSRF Token (and it will be different for each HTTP Response).
When User Submits the Form, this hidden Field is sent back to the Web App holding the value of CSRF Token.
Web App can now check if the value of received CSRF Token was sent previously to this User.
If so Web App knows that User used Web Page previously provided by the Web App to produce this HTTP Request.
CSRF Token should be tied to a User.
That means that HTTP Request should be accepted only if it came with specific combination of User and CSRF Token.
User is defined in the Session Cookie.
CSRF Token is defined in the hidden Form Field.
C
C
S
S
R
R
F
F
T
T
o
o
k
k
e
e
n
n
-
-
V
V
u
u
l
l
n
n
e
e
r
r
a
a
b
b
i
i
l
l
i
i
t
t
i
i
e
e
s
s
If CSRF Token is not properly implemented Web App can remain to be vulnerable to CSRF Attack.
V
V
a
a
l
l
i
i
d
d
a
a
t
t
i
i
o
o
n
n
o
o
f
f
C
C
S
S
R
R
F
F
T
T
o
o
k
k
e
e
n
n
d
d
e
e
p
p
e
e
n
n
d
d
s
s
o
o
n
n
r
r
e
e
q
q
u
u
e
e
s
s
t
t
m
m
e
e
t
t
h
h
o
o
d
d
Some applications correctly validate the token when the request uses the POST method.
But skip the validation when the GET method is used.
In this situation, the attacker can switch to the GET method to bypass the validation and deliver a CSRF attack.
V
V
a
a
l
l
i
i
d
d
a
a
t
t
i
i
o
o
n
n
o
o
f
f
C
C
S
S
R
R
F
F
T
T
o
o
k
k
e
e
n
n
d
d
e
e
p
p
e
e
n
n
d
d
s
s
o
o
n
n
t
t
o
o
k
k
e
e
n
n
b
b
e
e
i
i
n
n
g
g
p
p
r
r
e
e
s
s
e
e
n
n
t
t
Some applications correctly validate the token when it is present but skip the validation if the token is omitted.
In this situation attacker can simply remove the entire parameter containing the token (not just its value).
C
C
S
S
R
R
F
F
t
t
o
o
k
k
e
e
n
n
i
i
s
s
n
n
o
o
t
t
t
t
i
i
e
e
d
d
t
t
o
o
t
t
h
h
e
e
u
u
s
s
e
e
r
r
s
s
e
e
s
s
s
s
i
i
o
o
n
n
Some applications do not validate that the token belongs to the same session/user who is making the request.
Instead application maintains a global pool of tokens that it has issued and accepts any token that appears in this pool.
Attacker can log in to the application using their own account to obtain a valid token.
And then feed that token to the victim user in their CSRF attack.