Message from JavaScript discussions
January 2018
— So if I receive a csrf I take the token and blacklist it
Yeah, you can detect CSRF attempts sometimes. If your server gets the jwt for example, but not any other tokens like CSRF tokens, then the server can know that something is wrong and blacklist that jwt
— img tag should be injected somehow first, right? to steal cookie
— No
— Attacker will never need to ever see or steal it
— CSRF relies on the fact that the browser auto-sends the cookie, so the attacker must simply direct the browser to make a request to your site
— Oh yes, forgot
— Https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF) very good read for anyone integrating auth systems into their app
— Even if you don't write any auth code yourself, there are still a lot of places that are easy to accidentally open a hole in the app infrastructure
— Thanks
— "Prevention measures that do NOT work" is a good section
— (cookie1=expires in 6h)(cookie2=expires in a week)(cookie3=exipires in a month)... so if img got these, attacker get 3 cookies and tries to access site next day, session doesnt work, see