My question is about csrf tokens, the goal of these tokens and can we fake it ..
Problem identity
let's assume that we have bank.com that have this url to make a trasaction to an account bank.com/ make -transactions?amount=100USD&to=[accountId] that link will only be accessible by authenticated users (depends on the SessionID in cookies) from a page that has transaction form in bank.com site
The problem comes when a malicious.com put a fake form with hidden fields that submit it’s data to the above url. Causing the SessionID in cookies (related to bank.com) to be sent by this submission and the trasaction will be done
The CSRF solution
This solution depend on generate token (CSRF token) that send with the bank.com page of making transaction (in hidden field ) and save in current user session
And after user submite data from the transaction page, this token (which will be submited with the data) will be checked against the CSRF token value in the user session and if they are equal then the transaction is valid and if not that mean that there is something wrong and the transaction should be rejected
And by this it prevents the malicious.com from making a transactions by submit fake requests .Because it has no way to get this CSRF token and inject it with the request.
My questions
1- what if the malicious.com makes ajax request from the user browser to bank.com (that request will send the bank.com related cookies. am I right ?) and it will extract the CSRF token from the response. and inject that token in it’s fake form. Will this fake the bank.com with this hijacked token?
2- can I generate CSRF token from ajax endpoint in single page application (let say befor take the action. Ask the server for a CSRF token and submit this token with the action ) or not (if I can what I should be aware of ) ?
Thanks for your time with my best regards
