The question I have is whether solely CSRF token should be enough to make a valid request. I know that CSRF token should be tight with session, that is clear. So if session is invalidated, CSRF token should be as well. But should CSRF token alone works? I mean if I send CSRF token(in header) without session cookie, should my request be accepted?
The reason I ask is- if you have XSS vulnerability you can steal CSRF token, and that is normal. But to make any malicious operation you need to do some SE/phishing to encourage a victim to visit your site on which exploit is contained. Or to visit your crafted link on his vulnerable domain(and then cookies are sent automatically when victim vists website).
But if CSRF token alone works, then you could just steal CSRF token and do requests yourself without messing with social engineering etc, because you don't need session cookie.
What do I miss here?
Aucun commentaire:
Enregistrer un commentaire