how to generate and validate csrf tokens
18,535
All token-based CSRF protections can be defeated with XSS, which is what you seem to "have been able to gather". This will be a good read for you: OWASP on CSRF
Related videos on Youtube
04 : 52
046 Anti forgery Tokens
09 : 08
Code Token Trong PHP Phòng Chống Tấn Công CSRF
14 : 11
Cross-Site Request Forgery (CSRF) Explained
17 : 20
Cross-site request forgery | How csrf Token Works
08 : 28
(48) What is CSRF Token in Laravel | Why we use csrf token | Csrf stand for
![[QUESTION] How can I call a POST endpoint from Postman with CSRF protection enabled?](https://i.ytimg.com/vi/kRGJraWoCxk/hq720.jpg?sqp=-oaymwEcCNAFEJQDSFXyq4qpAw4IARUAAIhCGAFwAcABBg==&rs=AOn4CLC3tsBPjY6C5bGDCX6meEWwK3RXQQ)
18 : 06
[QUESTION] How can I call a POST endpoint from Postman with CSRF protection enabled?
14 : 11
How to Protect Forms with CSRF Tokens in PHP 8/8
05 : 27
CSRF token validation on method bypass
03 : 49
CSRF where token validation depends on request method (Video solution, Audio)
Author by
Amit
Updated on June 04, 2022Comments
-
Amit about 2 years
what is the best way to generate a csrf token and verify. From what i have been able to gather, even if you have a hidden form field in a "post" form a hacker can simply get that form using ajax, take the csrf token and send another request to the site to submit the form.
And if we are to check the headers sent to us... then the hacker could simply send the csrf token to a server side script that will then emulate the http headers.
So how does one actually generate and verify csrf tokens?
-
Amit about 13 yearsso if i tackle the XSS on my site, I will be able to use token based CSRF prevention?
-
e.dan about 13 yearsBasically yes, but it is by no means trivial to get it right. If you follow the guidelines in that link, you'll be in pretty good shape.