[Solved]-In what case can CSRF-exempt be dangerous?


CSRF attacks are about forcing a victims browser to send forged requests. A simple <img> or automatically submitted <form> suffice to do this for both GET and POST method. And as the requests are send by the browser, it sends any authentication credentials along and thus making the requests seem authentic and legitimate from the server’s point of view as they basically don’t differ from those initiated by the user’s actions.

And that’s exactly what the CSRF token is used for: establish a difference between requests that were initiated by the user and those that were forged by a third party site. For this purpose the CSRF token acts as a secret that is only known to the server and the user. The server puts the secret in the document in a response and expects it to be send back in the next request.

And as the secret is embedded in the response’s document that is assigned for this specific user, an attacker would need to eavesdrop that specific response or access the document in some other way. There certainly are attacks get the CSRF token (e. g. eavesdropping, MITM, XSS, etc.). But if you are protected against those attacks, an attacker won’t be able to forge an authentic request.



CSRF attack

I trick you into viewing a webpage where I inserted some code (a request, typically through img or form) to another site (where you possibly have some rights).

Innocuous example

<img src="http://www.yoursite.net/changelanguage?lang=fr">

I cruelly changed the language of your session to french. Oh noes! You can safely remove csrf protection and save a db hit.

Dangerous examples

<img src="http://www.yourbank.net/sendmoney?amt=9999&account=123>

If you were logged in in yourbank.net (and it has no csrf or any other protection), your account should feel lighter by now. (I am 123.)

<img src="http://www.yoursite.net/admin/users/123/edit?admin=1">

If you were logged in in yoursite.net as an admin, then we both are. (I am 123.)

Leave a comment