csrf_token displayed as a URL parameter

Question

Is it okay that a website displays the csrf_token as a URL parameter? I have a feeling that I shouldn't be able to see it, but I am no quite sure. If someone can clear this up a bit, I would be grateful!

Answer 1

No, It's not acceptable.

Passing tokens in URLs isn't normally an acceptable solution. Actually it's in some cases considered a vulnerability.

What if the Website not running under HTTPS?

What if it's running under HTTPS but HSTS isn't enabled on the server? Then SSL-Stripping techniques would be possible and other MITM attacks.

Even if it's running under HTTPS and HSTS is enabled that won't solve the issue.

The token could be exposed in:

• Referer Header
• Web Logs
• Shared Systems
• Browser History
• Browser Cache

For more information refer to:

Information exposure through query strings in url

OWASP CSRF Cheatsheet

Answer 2

The typical characteristics of a CSRF Token are as follows:

-Unique per user session - Large random value - Generated by a cryptographically secure random number generator

CSRF tokens in GET requests are potentially leaked at several locations: browser history, HTTP log files, network appliances that make a point to log the first line of an HTTP request, and Referer headers if the protected site links to an external site so it is not recommended.