CSRF protection in Django

Question

I don't get one thing about CSRF protection in django. For example we have some malicious site. What is the problem to send get-request from this site to csrf protected url, parse the page and get csrf value, then post with this value?

Answer 1

For example we have some malicious site. What is the problem to send get-request from this site to csrf protected url, parse the page and get csrf value, then post with this value?

If you do this, the session counterpart of the CSRF cookie will not match, and your request will be rejected.

Also, it should be noted that referrer check is done only for HTTPS requests to prevent a MitM vulnerability.

See this django wiki entry for a discussion on how CSRF protection works, and this SO question that discusses the MitM attack specifically.

Answer 2

The main purpose of Django's CSRF is explained in the Django Docs (https://docs.djangoproject.com/en/dev/ref/contrib/csrf/#how-it-works):

This ensures that only forms that have originated from your Web site can be used to POST data back.

So it checks several things - cookie, referrer, posted value. And there are some limitations, that you cannot always modify all these values at your will. For example - you can set X-CSRFToken token and the POST value in an AJAX call, but the browser will not allow you to override the referrer header... You might succeed to do a successful POST using urllib2 or similar library, but this is not covered by the CSRF protection, as it is the same as you POST on a page. Again - CSRF means Cross Site Request Forgery and it is what it protects.

Answer 3

REFERRER will be checked. If the REFERRER does correspond to correct URL then POSTing data is not valid.