I run ASP ARF tokens in my MVC3 web application and read about how the CSRF exploit works and how ARF tokens protect it. Now I was wondering if hackers could get around the ARF check with an extra step. A typical CSRF script looks like this:
- Create a website (we call it HackerSite) that is sent to the target BankingSite website
- Use social engineering (or XSS in advertising, etc.) to allow the user to visit the HackerSite website
- A script on HackerSite will send cookies / credentials placed under its name to BankSite using users.
Due to our ARF token, BankSite knows that it ignores the POST coming from the HackerSite website. Because it misses the right AFR token. Can someone tell me why a hacker couldn’t just get a token by first executing a GET request on a banking site? Like this:
- Create a website (we call it HackerSite) that is sent to the target BankingSite website
- Use social engineering (or XSS in advertising, etc.) to allow the user to visit the HackerSite website
- A script on HackerSite will execute a GET request and grab the ARF token from HTML in response, this request will also set the ARF token in the user's cookie
- The second script on HackerSite will send to the BankingSite website using the captured ARF marker + user cookie / credentials, thus placing under his / her name
Does anyone know what I'm missing here, and how is ARF protected from such an attack?
source share