I'm currently learning more about CSRF and I have a basic question about cookies. From Jeff Atwood's article on CSRF:
"When a POST request is sent to the site, the request should only be considered valid if the form value and the cookie value are the same. When an attacker submits a form on behalf of a user, he can only modify the values of the form. An attacker cannot read any data sent from the server or modify cookie values, per the same-origin policy. This means that while an attacker can send any value he wants with the form, he will be unable to modify or read the value stored in the cookie."
If cookies are a piece of text stored on a users computer, how can they not modify/read the value of a cookie?
If they knew the value of the cookie and can see a pseudorandom value hidden in a form, wouldnt they have all they need to perform an attack?
Thanks,
Same origin policy means that an attacking website is unable to read the cookies from another domain. See http://code.google.com/p/browsersec/wiki/Part2#Same-origin_policy_for_cookies
We're not talking about an attacker who has a rootkit or something of the sort on a user's computer, what CSRF protects from is a malicious server having a user submit a form via a POST request to a domain that the malicious server wants to attack. Because the malicious server can't read the cookie from the target domain, they can't properly fill out the CSRF field for the POST request they're making.