02-26-2016, 02:12 PM
well, it isn't really "hacks the page" so much as just forges the form. If they tried to forge the form they wouldn't have the right CSRF value, unless they already bugged the client system. In which case, they pwn it anyway.
Of course, a lot of this becomes moot if you're not using SSL to prevent external snooping. Even with the CSRF system in place, if you intercepted the form as it was being transmitted from server to client, they would have the required CSRF value straight from the traffic snoop, and could submit the form using the appropriate CSRF value as long as they did so before the client did.
Like on this word press page, all the login credentials get sent in the clear. Doesn't bother me though since I don't reuse passwords except in trivial pages.
Of course, a lot of this becomes moot if you're not using SSL to prevent external snooping. Even with the CSRF system in place, if you intercepted the form as it was being transmitted from server to client, they would have the required CSRF value straight from the traffic snoop, and could submit the form using the appropriate CSRF value as long as they did so before the client did.
Like on this word press page, all the login credentials get sent in the clear. Doesn't bother me though since I don't reuse passwords except in trivial pages.