0

I am just wondering how much the laravel CSRF protection really adds.

Correct my if I am wrong here but couldn't you just scrape the contents of page once you have acquired a session once?

Laravel grabs the CSRF token that is coupled to a session and adds that to a page as a metatag for AJAX requests.

<meta name="csrf-token" content="{{ csrf_token() }}">

https://laravel.com/docs/5.4/csrf#csrf-x-csrf-token

Of course you could remove the metatag if you do not need the AJAX functionality, but let's say just you wouldn't.

Once you would have a session in place the CSRF will remain the same for the session. Of course this is a lot of work for someone to set up but isn't this is possible workaround to a CSRF token? I guess it still helps to have a layer of protection that prevents extremely easy copy/paste CSRF attacks.

Just curious, hopefully someone can expand on this.

Edit:

I know how CSRF works, people are confusing how Laravel deals with CSRF to how they expect it to work though. People expect a CSRF token to regenerate per request, this is not the case with Laravel though:

https://github.com/illuminate/session/blob/master/Store.php#L72

I also don't see how you would be able to verify AJAX CSRF requests if you wouldn't store your CSRF token for multiple requests by the way.

Nevermind found the answer:

https://security.stackexchange.com/questions/22903/why-refresh-csrf-token-per-form-request

This goes in depth why generating a CSRF token for each request is a bad idea.

Stephan-v
  • 19,255
  • 31
  • 115
  • 201
  • 1
    *"Once you would have a session in place the CSRF will remain the same for the session."* No, for each request it is validated then regenerated, it's never constant - or at least, it shouldn't be constant with the entire session http://stackoverflow.com/questions/5207160/what-is-a-csrf-token-what-is-its-importance-and-how-does-it-work – ʰᵈˑ Apr 13 '17 at 13:01
  • Possible duplicate of [What is a CSRF token ? What is its importance and how does it work?](http://stackoverflow.com/questions/5207160/what-is-a-csrf-token-what-is-its-importance-and-how-does-it-work) – ʰᵈˑ Apr 13 '17 at 13:04
  • I know how a CSRF token works but in Laravel the CSRF token is being generated once per session. You can clearly see the CSRF token being inserted here: https://github.com/illuminate/session/blob/master/Store.php#L72 – Stephan-v Apr 13 '17 at 13:20
  • In parts of the system that you really need to add extra security consider using a [cryptographic nonce](https://en.wikipedia.org/wiki/Cryptographic_nonce) – apokryfos Apr 13 '17 at 14:45

1 Answers1

0

you have put a good thought here. But with reference to this question's answer.

Is it possible to break CSRF token validation using file_get_contents in PHP

Even if someone scraps and extract the csrf token he will be needed another http request which in return will create another token. So all effort will be in vain.

Note: I have put it in answer section because i dont have enough reputations to put it in comments. Thanks

Community
  • 1
  • 1
Muhammad Imran
  • 91
  • 1
  • 10
  • This is not true because if the CSRF token would change on every request you would not even be able to re-use the CSRF token for an AJAX requests. Since that would be a second request. Let's say you even perform multiple AJAX requests, that would be impossible. You can clearly see that the CSRF token is being generated once per session in Laravel as well. – Stephan-v Apr 13 '17 at 13:17
  • so your point says that if i get the token through scrapping i can make another request with the same token and play around with whatever i want. right??? – Muhammad Imran Apr 13 '17 at 13:22
  • This is how Laravel has set it up yes. The same goes for Symfony I think. The CSRF token is still unique per user though and does require an active session to be in place. – Stephan-v Apr 13 '17 at 13:37
  • Of course but it will always be a trade-off between security and flexibility. – Stephan-v Apr 13 '17 at 14:46