1

Suppose I maintain a anti CSRF token at server side in a session

How am I supposed to pass the token to client side application if my form generation is going to be dynamic(i.e. form will be created after some action has been performed by javascript)

Is there a way to pass the token to javascript so that I can inject the token in the form.

One working way that I found is send a cookie to the browser containing the token which will be then extracted by javascript.

Any suggestions?

Improve this question

2 Answers 2

Reset to default
1

I would suggest starting out from a secure token, and then improving it through JavaScript according to dynamic form Creation.

Eg, like:

<input type="hidden" name="csrftoken" value="hgdillksdbgjksdbkvbskb">

Where the "value" parameter is generated on server-side when page loads.

And then you have a script like:

csrftoken = document.mainform.csrftoken.value;
# Do something with the CSRF token, like add dynamic values, like sha256(csrftoken + "dynamicvalue");
document.mainform.csrftoken.value = csrftoken;

The main idea of this, is to prevent, that even if they manage to get a exploit that would allow a adverisary to read the JavaScript code, they still cannot make up a valid CSRF token, since they cannot read the original "csrftoken" value that was inside the form at page load. This can also be used to "chain" AJAX requests, like that you start out with the token X during page load. Then you transform it to Y using JavaScript, send it in a AJAX request. In the next AJAX request, you can use Y as base in the algoritm, to create Z, and send to the server. A attacker cannot gain access to X, thus they cannot either get access to Y neither Z, even if they would in some way be able to exploit running JavaScript code to reveal itself.

Note that page contents cannot be read by a adversiary due to Same origin policy. But Javascript can contain exploits that would make it possible to read the actual running JavaScript code. Theres no such exploits currently, but better be safe than sorry.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Cannot read original CSRF token? If not using Javascript the CSRF token will be visible in the hidden input anyways.
The idea is that on pageload, the javascript overwrites the input token with a new output token. Preferable using hash functions and such. Thus if a exploit later loads, it will not be able to figure out the original input token.
But if I have a twoway PHP encrytion class for generating CSRF there's no problem. If visible or not, must be not edited. If not, when validate SESSION CSRF and INPUT CSRF will fail. Am I wrong?
0

Sure. If you're dynamically generating the form on the client side then you're doing it from some kind of template. The token should be an argument to that creation function.

Pass the token along to the client at request/render time and then inject it into the form as a hidden element at form generation time.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.