I'm currently learning more about CSRF and I have a basic question about cookies. From Jeff Atwood's article on CSRF:
"When a POST request is sent to the
site, the request should only be
considered valid if the form value and
the cookie value are the same. When an
attacker submits a form on behalf of a
user, he can only modify the values of
the form. An attacker cannot read any
data sent from the server or modify
cookie values, per the same-origin
policy. This means that while an
attacker can send any value he wants
with the form, he will be unable to
modify or read the value stored in the
cookie."
If cookies are a piece of text stored on a users computer, how can they not modify/read the value of a cookie?
If they knew the value of the cookie and can see a pseudorandom value hidden in a form, wouldnt they have all they need to perform an attack?
Thanks,
Same origin policy means that an attacking website is unable to read the cookies from another domain. See http://code.google.com/p/browsersec/wiki/Part2#Same-origin_policy_for_cookies
We're not talking about an attacker who has a rootkit or something of the sort on a user's computer, what CSRF protects from is a malicious server having a user submit a form via a POST request to a domain that the malicious server wants to attack. Because the malicious server can't read the cookie from the target domain, they can't properly fill out the CSRF field for the POST request they're making.
What this is referring to is the synchroniser token pattern. What it usually means is that a form contains a hidden field with a value that is unique to that user's session. The same value is stored in a cookie in the user's machine. When the form is submitted, both values are checked for a match.
The advantage of this approach is that if a malicious website attempts to construct a post request to the legitimate website it won't know that hidden form value. It's an altogether more complex process to obtain this.
The attacking site can't read or manipulate the cookie value because it was issued from another domain. More on this (including a worked example) here: OWASP Top 10 for .NET developers part 5: Cross-Site Request Forgery (CSRF)
