confusion about Cross-Site Request Forgery (CSRF) Attack

Question

I am reading csrf attack explanation but I'm confused how adding a csrf token prevents it.

Suppose this scenario, a bank website adds a CSRF token in all its transaction forms. A user enters an active session and opens a phishing website.

The phishing website secretly fetches a get request to the bank website to get the form, and extracts the CSRF token.

Then phishing website generates a fake post request for a transaction and passed CSRF token in.

Since the user is in the same active session, then the CSRF token is unchanged. Wouldn't this break the CSRF Attack prevention scheme?

score 0 · Answer 1 · answered Dec 23 '22 at 01:58

The CSRF token is tied to the user's particular browser. The phishing website cannot grab the CSRF token from the user's browser unless the user's browser has a serious issue.

This question has already been answered in more detail here:

What is a CSRF token? What is its importance and how does it work?

confusion about Cross-Site Request Forgery (CSRF) Attack

1 Answers1