Why doesn't a Hacker Have access to the CSRF Token? | Sololearn: Learn to code for FREE!
New course! Every coder should learn Generative AI!
Try a free lesson
+ 3

Why doesn't a Hacker Have access to the CSRF Token?

If the user presses a malicious link which makes the user do an operation on a site that the user is already logged into(transferring money for example)... the session ID and the CSRF Token are being sent in the http request. Session ID for authentication of which user is sending the request, and the Token to prevent a CSRF attack. So why is the CSRF Token considered safe? The hacker doesn't need to know it anyways.. like he doesn't need to know the session ID. (It'll be considered safe only if the hacker sends a link that redirects the user to his malicious website that sends the http request... that way the hacker will need to know what's the Token...)

sessionwebsiteweb-storagexsstokencsrf
21st Jul 2021, 4:37 PM
Yahel
Yahel - avatar
4 Answers
+ 2
Jazz right, but what if a hacker sends a link to the real bank site (for example..), but the URL parameters will make a transfer to the hacker's account. This http request is sent from the original site, so will the csrf token protect here? And when is a new csrf Token being generated? How often?
21st Jul 2021, 6:10 PM
Yahel
Yahel - avatar
+ 1
Jazz that's not what I meant :) Let's say a hacker sends a link like so: http://bank.com/transfer?to_user=attacker&amount=10000 That link is the real link of the bank. The hacker assumes that the victim is logged into his account while clicking the link. The money transaction will execute immediately (if there is no security as typing your username and password again, secret code etc..). The CSRF Token is useless in this case, am I right?
23rd Jul 2021, 5:42 PM
Yahel
Yahel - avatar
+ 1
Jazz I understand, let me just make sure though: When clicking a link that redirects you to an attackers site which sends a request to the real bank site - it won't be able to work because the hacker doesn't know what is the CSRF Token and thus it's not in the form and the request won't work. And when clicking a link to the real bank site, the url must contain the csrf Token (if it's a secure bank site), thus the hacker won't know it and the link won't work. Am I right?
23rd Jul 2021, 6:21 PM
Yahel
Yahel - avatar
+ 1
Jazz Thanks for your help and patience, have a good day :)
23rd Jul 2021, 6:29 PM
Yahel
Yahel - avatar

Often have questions like this?

Learn more efficiently, for free:

See all courses
Hot today
[SOLVED] How to create animation in Python?
2 Votes
[Clearified] 0 === -0 and 0 == -0
3 Votes
How to stop pop up menu from qt table horizontal header
0 Votes
What next?
0 Votes
Popsicle program
1 Votes
please help me emotionally
1 Votes
Why are not all the codes showing?
0 Votes
Why 'null >= 0' is TRUE?
2 Votes
Which programming language is most important for learning hacking or cybersecurity?
0 Votes
Help me with phyton
2 Votes