We always use csrf_token in Django forms, and it generated dynamically. If capture my session with fiddler and try to submit my form without that token I get a 403 error. But what I don't understand is I can use fiddler to submit as much data as I want with that same token, so I don't understand the security this token does. If someone hacks your forms they can just use the same token.
Am I missing some addition steps to assure that token is always unique?
The CSRF token only ensures that only forms that have originated from trusted domains can be used to POST data back. So it doesn't validate the data or how much data the form sends but if data comes from a form from a legit domain (your site usually). Hence the name: Cross Site Request Forgery protection.
From the docs:
The CSRF token is changed each time a user logs in.
“Stealing” or modifying your own token using Firebug, Chrome dev tools, etc. isn’t a vulnerability.
An attacker cannot steal a user’s browser’s CSRF cookie.
If someone has access (through an man-in-the-middle attack or xss) to your csrftoken cookie, then this is a vulnerability:
The CSRF protection cannot protect against man-in-the-middle attacks, so use HTTPS with HTTP Strict Transport Security. It also assumes validation of the HOST header and that there aren’t any cross-site scripting vulnerabilities on your site (because XSS vulnerabilities already let an attacker do anything a CSRF vulnerability allows and much worse).
Then your app prepare the form, Django use the csrf token for current user session. So, hacker could hack only form generated for their own login.
To emulate atack you could try to open the form session, type something and when change your SECRET_KEY in settings, reload server and submit form data.
Now you've got the csrf error message, becouse csrf token depend on SECRET_KEY.
Read more in docs
