What if I can copy that cookie (samesite) in developer tools from
legitimate-site.com <http://legitimate-site.com> and create a new cookie for
malicious-site.com <http://malicious-site.com> using developer tools. After I
do that I make a request. Will it be successful?
I think it would probably work. (This is not a security issue, though, since the
user agrees. The problem is when malicious-site.com tries to do something to
legitimate-site.com using the user's credentials without the user knowing.)
Antonis Christofides
+30-6979924665 (mobile)
On 01/07/2021 01.48, Patrice Chaula wrote:
What if I can copy that cookie (samesite) in developer tools from
legitimate-site.com <http://legitimate-site.com> and create a new cookie for
malicious-site.com <http://malicious-site.com> using developer tools. After I
do that I make a request. Will it be successful?
On Wed, Jun 30, 2021, 3:43 PM Antonis Christofides
<anto...@antonischristofides.com <mailto:anto...@antonischristofides.com>> wrote:
Django does not store csrftoken on the server.
Django provides the csrftoken in two places: 1) The cookie; 2) A hidden
form field.
When the browser makes a POST request, then:
1. It sends back the cookie anyway (that's what cookies do)
2. It submits the csrftoken as a form field (or as the X-CSRFToken HTTP
header in case of AJAX).
All Django does after that is verify that the token it receives with (2)
is the same as the token it receives with (1).
Why this helps? Because the attack it is designed to mitigate is one where
you visit malicious-site.com <http://malicious-site.com> which contains
the following:
<form method="post" target="https://legitimate-site.com";
<https://legitimate-site.com>>
<input type="hidden" name="somename" value="somevalue">
<!-- More hidden fields that, if submitted successfully to
legitimate-site.com <http://legitimate-site.com>, will cause data loss or
other problem -->
<input type="submit" value="A message that pretends that when you
click here something else is going to happen">
</form>
For this attack to succeed, malicious-site.com <http://malicious-site.com>
would need to specify a csrftoken as, say, a hidden form field (which is
possible) AND provide the same token through a cookie. This is not
possible. malicious-site.com <http://malicious-site.com> can't set cookies
of another site. The post request may indeed send a csrftoken as a cookie
to legitimate-site.com <http://legitimate-site.com>, but this will be the
csrftoken received the previous time the user visited legitimate-site.com
<http://legitimate-site.com>. It will not be the same as the csrftoken
sent as a hidden field, because malicious-site.com
<http://malicious-site.com> can't read cookies of another site, so it
can't possibly read that cookie and set the hidden field to its value.
Antonis Christofides
+30-6979924665 (mobile)
On 30/06/2021 15.14, Patrice Chaula wrote:
In django you can either obtain a `csrftoken` from a cookie. Or the form
can generate a nonce `csrftoken`. How does django validate both and where
are they stored on the server. Are they stored as part of the session?
--
You received this message because you are subscribed to the Google Groups
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to django-users+unsubscr...@googlegroups.com
<mailto:django-users+unsubscr...@googlegroups.com>.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-users/83f3da74-ecbc-4197-9627-0c9ab9e8492fn%40googlegroups.com
<https://groups.google.com/d/msgid/django-users/83f3da74-ecbc-4197-9627-0c9ab9e8492fn%40googlegroups.com?utm_medium=email&utm_source=footer>.
--
You received this message because you are subscribed to the Google Groups
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to django-users+unsubscr...@googlegroups.com
<mailto:django-users+unsubscr...@googlegroups.com>.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-users/7732c858-fd8c-53de-9a0f-99ae704ae4c6%40antonischristofides.com
<https://groups.google.com/d/msgid/django-users/7732c858-fd8c-53de-9a0f-99ae704ae4c6%40antonischristofides.com?utm_medium=email&utm_source=footer>.
--
You received this message because you are subscribed to the Google Groups
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to django-users+unsubscr...@googlegroups.com
<mailto:django-users+unsubscr...@googlegroups.com>.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-users/CAE%3DG6DY1gG71vdqEUiax%3DQqfuqukC%3Dyi-qo9zKnwyra4i3ujDw%40mail.gmail.com
<https://groups.google.com/d/msgid/django-users/CAE%3DG6DY1gG71vdqEUiax%3DQqfuqukC%3Dyi-qo9zKnwyra4i3ujDw%40mail.gmail.com?utm_medium=email&utm_source=footer>.
--
You received this message because you are subscribed to the Google Groups "Django
users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-users/af840a8d-5baa-dbed-faea-86d6e787be41%40antonischristofides.com.
