I've been playing around with chrome's console.
I found that I can access the textual version of my source code through:
document.scripts[2].outerText
(the number "2" depends on where the main source code is)
after that, all I had to do was:
temp = document.scripts[2].outerText;
temp.indexOf("csrf_token")
and couple of other things to get the csrf_token
Does this mean if I can do xss (or run custom JS on the website), then csrf token can fail?
Thanks in advance :D
Does this mean if I can do xss (or run custom JS on the website), then csrf token can fail?
Yes. If there is a security hole that lets an attacker perform XSS, then CSRF protection can be circumvented (as can many other things).
The trick is to defend against all kinds of attacks. :)