|
|
|
|
|
|
by mike-cardwell
3700 days ago
|
|
|
CSRF is "cross site request forgery". It is an attack. What you are talking about when you start mentioning tokens, is presumably the various methods of mitigation that a number of websites use to defend against that particular attack. A MITM can initiate a CSRF attack, because they can add arbitrary code to the page. Whether or not the target site has protection, and whether or not the attack is successfull, does not change the fact that a MITM can launch one. Sites still need to protect against CSRF because there are other methods of launching them, but nontheless, if all sites were HTTPS and HTTP didn't exist, then that would defend you against a MITM on an untrusted network launching one. I didn't mean XSS when I said malware injection. I didn't mention XSS and I didn't intend to. |
|
|