Re: Circumventing CSFR Form Token Defense
* Jim Manico:
> CONJECTURE: An attacker could write a hybrid "html inspection, CSRF
> attack" mimicking an exact important form (like the funds transfer
> form for an exact bank) **even if the form in question uses form
> tokens**.
I'm not sure what you mean by "form tokens", but correctly generated
tokens are unique to the user's session.
> a) The javascript makes a simple HTTP/S request to the form it is
> trying to mimic and inspects the returned HTML for the purpose of
> pulling out a valid form key since the form key NAME is known from
> (1).
To work, this requires a cross-site scripting vulnerability in the web
application (or lack of enforcement of the same-origin policy by the
browser). (The rule of thumb is: XSS for read access, CSRF for write
access.)