Geek Answers Handbook

Django CSRF cookie accessible via javascript?

The django website https://docs.djangoproject.com/en/dev/ref/contrib/csrf/ says:

The CSRF protection is based on the following things: 1. A CSRF cookie that is set to a random value (a session independent nonce, as it is called), which other sites will not have access to. 2. ...

Then it also indicates that the csrf token can be obtained from the cookie using javascript:

 var csrftoken = $.cookie('csrftoken');

Are these two statements contradictory? Say there is a Cross Origin attack, then an attacker can just get the CSRF token from the cookie, and then make a POST request with the CSRF token in the header? Can someone explain this please?

UPDATE

Now I understand that access to the cookie is allowed only for javascript from one source. Next question:

If the POST request automatically adds the cookie as part of the request and the value of the django csrf cookie matches the csrf token, then will the malicious cross-source request still have the correct CSRF token? (in cookie)

+3
source share
2 answers

I believe this post answers your updated question:

Due to the same origin policy, the attacker cannot access the cookie. But the browser will add a cookie to the POST request anyway, as you mentioned. For this reason, you must also set the CSRF token from the code (for example, in a hidden field). In this case, the attacker must know the value of the CSRF token as stored in the victim's cookie at the time the malicious form was created. Since it cannot access the cookie, it cannot reproduce the token in its malicious code, and the attack failed.

Now you can imagine other ways of storing a token than in a cookie. The fact is that an attacker cannot get it. And the server should have a way to check it. You can imagine storing a token with a server-side session and storing a token on some “safe” path on the client side (“safe”, which means that an attacker cannot access it).

Here is a quote from OWASP:

In general, developers only need to generate this token once for the current session. After the initial generation of this token, the value is stored in the session and is used for each subsequent request until the session expires. When the request is issued by the end user, the server component must check the availability and validity of the token in the request compared to the token found in the session . If the token was not found in the request or the provided value does not match the value in the session, then the request must be aborted, the token must be reset, and the event is recorded as a potential CSRF attack.

After all, security requires two things:

  • The CSRF toner must be sent from the code, which means that the malicious code must know it.
  • The CSRF icon should be stored in some “safe” place for comparison (a cookie is convenient for this ).

I am not an expert, but this is my understanding of the problem. Hope this helps.

+2
source

On behalf of CSRF (Cross Site Request Forgery), you can already guess that the attacker must fulfill the request from the "cross site" (another site).

"The key to understanding CSRF attacks is recognizing that websites do not usually verify that a request comes from an authorized user. Instead, they only verify that a request comes from an authorized user’s browser." - given here

So for sites that do not prevent CSRF attacks, an attacker can send a malicious request from anywhere: browsers, emails, terminal ... Since the website does not check the origin of the request, he believes that the authorized user has completed the request.

In this case, in each form of Django you have a hidden input called a “CSRF token”. This value is randomly generated and uniquely generated during the display of the form and will be compared after the request is completed. Thus, a request can only be sent from an authorized user browser. There is no way (I know) that an attacker can get this token and execute a malicious request that could be accepted by the Django backend.

clear enough?

+2
source

More articles:


All Articles