Breaking Hacker News's CSRF Protections

CSRF protection is <i>not</i> about preventing bots from interacting with your site - it&#x27;s about protecting your site from <i>other</i> sites (hence the name - cross site request forgery).<p>Without the hidden &#x27;fnid&#x27; input, it would be possible for other sites to vote on and post content to Hacker News on your behalf without your consent.

CSRF tokens are designed to protect users from CSRF attacks from other sites. The example you posted requires the username and password, which renders the token anyways. A cross-domain post to HN from a rogue site will not be able to know the CSRF token since it does not have knowledge of your SID, rendering this attack not viable in practice.<p>More Info: <a href="https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)" rel="nofollow">https:&#x2F;&#x2F;www.owasp.org&#x2F;index.php&#x2F;Cross-Site_Request_Forgery_(...</a>

You&#x27;re misunderstanding how CSRF works. Say a user is logged in to the site JoeNotProtectedByCSRF.tld with a session cookie or similar authentication token. SpammySite.tld comes along with a form to POST some change some value on JoeNotProtectedByCSRF.tld such as a password field. Because your browser always sends along the cookies to the end domain, your session cookie will be abused. With a check against a unique-to-the-user CSRF token as a hidden input on the form this doesn&#x27;t happen.

I think you misunderstand what csrf is. Here it is in layman terms <a href="http://crazyviraj.blogspot.com/2009/10/xsrfcsrf-attacks-in-non-geek-speak.html" rel="nofollow">http:&#x2F;&#x2F;crazyviraj.blogspot.com&#x2F;2009&#x2F;10&#x2F;xsrfcsrf-attacks-in-n...</a>

Hopefully the author is reading this. And please spare the downvotes, I&#x27;m trying to help without laying any judgement.<p>Please fix the spelling in the sidebar.<p><i>Recieve a digest of my best content every month about software, startups, and life.</i><p>&quot;Recieve&quot; should be &quot;Receive&quot;<p>Since this is in the sidebar of your site, it stands out and puts a negative spin on the rest of what you have to say. Unfair? Maybe, but this is such a basic error that people will judge you based on such a basic mistake, simply because it will be easily caught by any spell-checker.

Thanks for pointing out what CSRF protection is meant for and I certainly agree that I should have used better wording. However, aren&#x27;t the attacks mentioned (upvoting or similar from another site) protected by same-origin and http-only cookies? Otherwise, a malicious site could use the same techniques mentioned in this post to first obtain an fnid token and then make the same requests.

You&#x27;ve completely misunderstood what CSRF tokens do.