CSRF prevention mechanism in form submit

RE: CSRF prevention mechanism in form submit

2018-08-08T10:53:45Z

CSRF protection works differently. Let's say, I craft a URL that adds an admin user for me on site mysite:

Then I sent it to the admin of mysite with reasonable text: "Please look at my comment ...". He clicks on the url and voila -> Admin created!

CSRF prevents an attacker from doing that, he could maybe create a malicious URL or form and trick an admin to click on it. But for some attacker somewhere it is impossible to find out what the CSRF token of the current session of the admin user is.

The token doesn't protect against e.g. injected javascript. It only protects against "tricks from the outside".

RE: CSRF prevention mechanism in form submit

2018-08-08T10:32:45Z

I'm surely missing something in the picture of how CSRF attacks and protections are working. My understanding in a form-submit scenery is the protection rely on a unpredictable token, someway is assumed the attacker can't get the token, why? If the attacker is good enough to make me submit a form (as mentioned by OWASP) what would prevent him from getting the token before submitting? There's a limit on javascript size/syntax that can be injected or is just the assumption I'm using a modern browser with Same-Origin Policy, what am I not seeing?

[url redacted]

CSRF prevention mechanism in form submit

2017-10-31T07:54:41Z

Hi,

I have a form which is getting submitted with processAction. I want to apply CSRF prevention mechanism. Regarding the same i have few quesitons.

1. Do we need to apply CSRF prevention mechanism for processAction or not.
2. If not how would i know that Liferay by default add 'p_auth' key with the url, how can i check that?

Regards
Akash K Jaiswal